Spam, specifically posing as a bank

I know generally it is simply a matter of filtering the stuff, but in
the past 2 weeks I've got emails from "Citibank" and "USBank",
with links to what is supposed to appear to be the bank, but are
actually links to a Korean site.

When I got the one from Citibank, I notified Citigroups, and abuse at
the site gathered from 'whois' (The link included the IP address.)
BTW, Citigroups told me to forward a copy, it bounced with something
like Virus warning: illegal redirect or something similar, so I guess
they scan for the exploit.

Now while I have my Citibank acct listed with Ebay, I've not done any
business with US Bank online, so I'm at a loss as to where they got the
info I have accts with them (unless the banks sold them a list.)

Is it a waste of time to report this junk? While I assume they get
plenty of reports from others, is there anyone else I should be
reporting this stuff to? And is anyone/everyone else getting the same
BS.

Thanks,

Michael C.
--
(E-Mail Removed) http://mcsuper5.freeshell.org/
Registered Linux User #303915 http://counter.li.org/

"Michael C." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)

> Now while I have my Citibank acct listed with Ebay, I've not done any
> business with US Bank online, so I'm at a loss as to where they got
> the info I have accts with them (unless the banks sold them a list.)

The spam doesn't really target "customers" of the particular bank, it
targets at least hundreds of thousands of email addresses (as all spam does)
with the certain knowledge that at least a few of them will have accounts at
the bank.

It was a pure coincidence that you happened to have an account at one of
them.


tony

--
use hotmail for any email replies



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

On Sun, 18 Jan 2004 15:09:09 -0800,
ynotssor <> wrote:
>
> The spam doesn't really target "customers" of the particular bank, it
> targets at least hundreds of thousands of email addresses (as all spam does)
> with the certain knowledge that at least a few of them will have accounts at
> the bank.
>
> It was a pure coincidence that you happened to have an account at one of
> them.
>
Actually, both. I hadn't done anything online with US Bank, and I
hadn't seen it from other banks, not yet at any rate. Coincidence I
guess.

Michael C.
--
(E-Mail Removed) http://mcsuper5.freeshell.org/
Registered Linux User #303915 http://counter.li.org/

"Michael C." <(E-Mail Removed)> quoted and wrote in message
news:(E-Mail Removed)

>> The spam doesn't really target "customers" of the particular bank,
>> it targets at least hundreds of thousands of email addresses (as
>> all spam does) with the certain knowledge that at least a few of
>> them will have accounts at the bank.
>>
>> It was a pure coincidence that you happened to have an account at
>> one of them.
>>
> Actually, both. I hadn't done anything online with US Bank, and I
> hadn't seen it from other banks, not yet at any rate. Coincidence I
> guess.

What's unfortunate is there will probably be at least a few recipients that
open the forged site and enter their personal banking information, which of
course is one of the many methods of identity theft that exist in the world.


tony

--
use hotmail for any email replies



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

Said SPAM reached the SpamBayes email list this morning.
I am dead-certain that "The SpamBayes Email List" does not hold an account with U.S. Bank.

(sigh)
Spammers are generally as dumb as a brick.
Unfortunately they're profiting because enough people are *dumber* than a brick.

Phil P

In article <(E-Mail Removed)>, (E-Mail Removed) says...
> On Sun, 18 Jan 2004 15:09:09 -0800,
> ynotssor <> wrote:
> >
> > The spam doesn't really target "customers" of the particular bank, it
> > targets at least hundreds of thousands of email addresses (as all spam does)
> > with the certain knowledge that at least a few of them will have accounts at
> > the bank.
> >
> > It was a pure coincidence that you happened to have an account at one of
> > them.
> >
> Actually, both. I hadn't done anything online with US Bank, and I
> hadn't seen it from other banks, not yet at any rate. Coincidence I
> guess.
>
> Michael C.
>

Michael C. <(E-Mail Removed)> wrote:
> I know generally it is simply a matter of filtering the stuff, but in
> the past 2 weeks I've got emails from "Citibank" and "USBank",
> with links to what is supposed to appear to be the bank, but are
> actually links to a Korean site.

This sounds like an extension of the ebay spoof. These spoofs pretend
to be from ebay and ask you to update your account details at the
ebay site "for security purposes". They have URLs whose text portion
says http://www.ebay.com, but whose real URL is something different!

> When I got the one from Citibank, I notified Citigroups, and abuse at
> the site gathered from 'whois' (The link included the IP address.)
> BTW, Citigroups told me to forward a copy, it bounced with something

No - you mailed it wrong, or they told you wrong. Of course their spam
harvester does not bounce spams!

> like Virus warning: illegal redirect or something similar, so I guess
> they scan for the exploit.

Nonsense! Do it again, properly.

> Now while I have my Citibank acct listed with Ebay, I've not done any

That's probably where it came from. Perhaps you were fooled by an
earlier ebay spoof?

> business with US Bank online, so I'm at a loss as to where they got the
> info I have accts with them (unless the banks sold them a list.)
>
> Is it a waste of time to report this junk? While I assume they get

No, it'simportant that you do, if only to protect yourself!

> plenty of reports from others, is there anyone else I should be
> reporting this stuff to? And is anyone/everyone else getting the same

Ebay and citibank are appropriate. They will take care of the
traceback.

(the ebay address is something like (E-Mail Removed), as I recall, not
abuse).

Peter

On 18 Jan 2004 22:48:22 GMT, "Michael C." <(E-Mail Removed)> wrote:

>I know generally it is simply a matter of filtering the stuff, but in
>the past 2 weeks I've got emails from "Citibank" and "USBank",
>with links to what is supposed to appear to be the bank, but are
>actually links to a Korean site.
>
>When I got the one from Citibank, I notified Citigroups, and abuse at
>the site gathered from 'whois' (The link included the IP address.)
>BTW, Citigroups told me to forward a copy, it bounced with something
>like Virus warning: illegal redirect or something similar, so I guess
>they scan for the exploit.
>
>Now while I have my Citibank acct listed with Ebay, I've not done any
>business with US Bank online, so I'm at a loss as to where they got the
>info I have accts with them (unless the banks sold them a list.)
>
>Is it a waste of time to report this junk? While I assume they get
>plenty of reports from others, is there anyone else I should be
>reporting this stuff to? And is anyone/everyone else getting the same
>BS.
>
>Thanks,
>
>Michael C.

See "Phishing" in recent news... it's the latest scam. Probably a
waste of time reporting, but maybe not.. But what you need to
remember is to NEVER EVER respond.

A decent spam filter will probably stop them before you see them.

Mike-

Mornings: Evolution in action. Only the grumpy will survive.
-----------------------------------------------------

Please note - Due to the intense volume of spam, we have
installed site-wide spam filters at catherders.com. If
email from you bounces, try non-HTML, non-encoded,
non-attachments.


----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---

On Mon, 19 Jan 2004 00:10:27 GMT, (E-Mail Removed) (P.T. Breuer)
wrote:
>Michael C. <(E-Mail Removed)> wrote:
>> I know generally it is simply a matter of filtering the stuff, but in
>> the past 2 weeks I've got emails from "Citibank" and "USBank",
>> with links to what is supposed to appear to be the bank, but are
>> actually links to a Korean site.
>
>This sounds like an extension of the ebay spoof. These spoofs pretend
>to be from ebay and ask you to update your account details at the
>ebay site "for security purposes". They have URLs whose text portion
>says http://www.ebay.com, but whose real URL is something different!

Yup, always check for an at-sign in any URL. Everything before the
'@' is mostly ignored (it's intended to be used for user name and
password, though it can also be used to pass info to scripts). The
real address is as follows. (I'm sure that almost everyone reading
this groups knows this already, but just in case it never hurts to
point it out again). The latest trick also exploits a flaw in
internet explorer (known and I believe it's been fixed, though I don't
use IE so I don't know for sure) which obscures the URL in the address
bar.

>> When I got the one from Citibank, I notified Citigroups, and abuse at
>> the site gathered from 'whois' (The link included the IP address.)
>> BTW, Citigroups told me to forward a copy, it bounced with something
>
>No - you mailed it wrong, or they told you wrong. Of course their spam
>harvester does not bounce spams!

Actually that's not the first time that I've heard of Citibank
bouncing samples of scam messages sent to them. I don't know if it's
just that they've changed the system and haven't told the people
answering the phones at the call centre or if this is somehow the
intended behavior (ie bounce scam messages that they've already seen
and know about).

>> Now while I have my Citibank acct listed with Ebay, I've not done any
>
>That's probably where it came from. Perhaps you were fooled by an
>earlier ebay spoof?

It's almost certain that it was purely a random coincidence. These
thieves just spam every address they can get their hands on in the
hopes that some will actually have an account with the particular
bank.

It's somewhat odd that the original poster happened to have an account
at the two banks for which he received the scam messages, but not to
out of the ordinary. Those are two of the largest banks in the US
(last I checked Citibank was the largest in the world), so therefore
they are the most targeted. Same thing as how AOL and Hotmail receive
the most spam because they have the most potential victims of scams,
places like eBay and Citibank are the most targeted for this type of
scam.

Phil Pierotti wrote:
> Said SPAM reached the SpamBayes email list this morning.
> I am dead-certain that "The SpamBayes Email List" does not hold an account with U.S. Bank.
>
> (sigh)
> Spammers are generally as dumb as a brick.
> Unfortunately they're profiting because enough people are *dumber* than a brick.

On the contrary. They're in the "evil genius" category.

As already said, you sent 100 million e-mails with the
certainty that 90 million of them will be ignored up
front (since 90 million of those people don't have an
account on whatever bank, or more in general, don't
fit the whatever description they put). Ok, so what?
From the remaining 10 million, maybe 10% will fall for
the letter -- that's 1 million victims of your trickery.

You know, it's like, do the following experiment: send
100 million "threatening" e-mails saying something like
"I know who you are. I know where you live. We are
watching you; we know that yesterday you went for
lunch to McDonalds with your wife and your two kids,
in your blue Ford Focus. So, do <fill-in-the-blank>,
or we are going to hurt you"

Soudns ridiculous, huh? Well, how many people do
you think have a blue Ford Focus, wife, two kids and
that particular day went for lunch at McDonalds with
their kids? Sounds like very specific, but I'm betting
that the number is at least in the several thousands.
Taking into account how many of those were on your
list of e-mails, etc., maybe you'll get a few hundred
hits. That's still quite effective, don't you think?

The example is hypothetical and most likely impractical;
you know, what could they ask you to do? Ransom? What,
deposit some ransom in a certain bank account? That
would be ridiculous, and whatever else they do, they're
bound to be caught by the authorities. Still, maybe a
few people will fall for it before the authorities are
warned, and by then the criminals will have disappeared
without a trace.

But you know, it was an example -- imagine yourself
receiving an e-mail describing *in detail* your situation
and what you did the day before! You will certainly
panick and believe they indeed know you and have been
spying on you; you won't stop and think that -- hey,
maybe I'm nothing more than 1 in the 10 million people
that have two kids and did whatever activity yesterday...

So, no, spammers and perpetrators of frauds like that
are *very far* from dumb! They're possibly in the top
5% of IQ on the planet (very sadly, I must add :-( )

Carlos
--

Some Hoser wrote:
<snip>
> Yup, always check for an at-sign in any URL. Everything before the
> '@' is mostly ignored (it's intended to be used for user name and
> password, though it can also be used to pass info to scripts). The
> real address is as follows. (I'm sure that almost everyone reading
> this groups knows this already, but just in case it never hurts to
> point it out again). The latest trick also exploits a flaw in
> internet explorer (known and I believe it's been fixed, though I don't
> use IE so I don't know for sure) which obscures the URL in the address
> bar.

No, this has *not* been fixed. It's due to 0x01 truncating URL's in the
URL bar -- all characters after this are not shown. MS may get to fixing
this, uh, this month? next month?