Every once in a while you get to see a really bad poorly crafted
phishing attempt on your account. Surprisingly enough, not enough
examples of a poorly crafted phishing attempt are on the internet. Here
is my contribution to the body of knowledge on really poorly crafted
phishing attempts. Nothing has been edited to protect anyone.
The above image showed up in my e-mail box this morning and I
really tried not to shoot coffee out my noise, but this is a great
example of a phishing attempt that is so transparent that no one should
fall for this one. Here are all the mistakes.
If you notice the from e-mail address, service at service123.com
you will note that this is not coming from a bank of America account.
What was also interesting on this one was the to: line, usually this
line is blank as they are sent BCC rather than to. With BCC you will
not know the recipients, unless the sender did something really stupid.
Another great tip off was the word BANK spelled out B A N K rather than bank as we would expect.
The URL is even better, they should have masked this one better,
but rather than that, they showed off something that is when reviewed,
tries to drop an amazing number of malware programs (I counted 15 when
I isolated the URL and ran it on a VM image). The other problem with
the page is that it wasn’t even a mock up of the Bank of America web
site; anyone going there beyond having their computer fight off malware
would have seen right through this one as the page was a white page
entry. Just designed to deliver malware, not necessarily capture creds.
The spelling and grammar for a change were ok, but if you see
something like this, sometimes the use of the English language would
give a grammar aficionado a heart attack.
This was also not designed to bypass spam filters either which is
interesting, most phishing attempts have information in them that is
designed to bypass spam filters. What was also interesting about this
was the header information that came with it.
Received: from mail08a.verio.de ([213.198.55.73]) by My Mail Systems with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 15 Jul 2009 11:47:16 -0700
Received: from mx104.stngva01.us.mxservers.net (198.173.112.41)
by mail08a.verio.de (RS ver 1.0.95vs) with SMTP id 2-0423283617
for ; Wed, 15 Jul 2009 20:46:58 +0200 (CEST)
Received: from unknown [213.198.107.10] (EHLO mmm818.verio.de)
by va1-mx104.stngva01.us.mxservers.net (mxl_mta-3.1.0-05)
with ESMTP id 2242e5a4.2574257056.106226.00-001.va1-mx104.stngva01.us.mxservers.net (envelope-from );
Wed, 15 Jul 2009 14:46:58 -0400 (EDT)
Received: (qmail 43723 invoked from network); 15 Jul 2009 18:46:57 -0000
Received: from unknown (HELO User) (admin@86.47.46.147)
by with ESMTPA; 15 Jul 2009 18:46:57 -0000
From: “Support”
Subject: Bank of America Notification.
Date: Wed, 15 Jul 2009 19:46:57 +0100
X-Spam: [F=0.2985781991; S=0.200(2009070901); MH=0.630(2009071524)]
X-MAIL-FROM:
X-SOURCE-IP: [213.198.107.10]
To:undisclosed-recipients:;
Message-ID:<20090715204658.GA42328@mail08a.verio.de>
X-SF-Loop: 1
Return-Path: service@service123.com
X-OriginalArrivalTime: 15 Jul 2009 18:47:16.0661 (UTC) FILETIME=[ACCBEE50:01CA057C]
The part that caught my attention was this:
Received: from unknown [213.198.107.10] (EHLO mmm818.verio.de)
This is classic spam bot behavior for injecting email into an open
relay or system. I doubt that Bank of America is sending mail from DE.
In all not even a good attempt at a phishing exercise, but good to have one that is so easily torn apart and reviewed.
(Cross-posted @ IT Toolbox)
[..] An Example of a Really Poor Phishing Attempt(cloudave.com) [..]