Fraudulent Mail

From RSWiki
Jump to navigation Jump to search

Fradulent mail claiming to come from Irish Banks

No Irish bank will ever contact you by e-mail. Never. If you get an e-mail claiming to be from a bank Irish or otherwise then you can be 100% certain that it is forged and you should delete it straight away.

Each of the main Irish banks have their own pages regarding fradulent mails:

Recent Phishing Attempts

AIB

Received 16th September 2009 - Claims that AIB are launching a Customer Satisfaction Program and is offering 10000 free cheques. Mail has an attachment that the viewer is required to click on. Purports to be from enroll@aib.ie

Mail Path:

Received: (vpopmail 5344 invoked by uid 16); 16 Sep 2009 14:41:00 +0100
Received: (qmail 5238 messnum 885685 invoked from network[64.40.221.15/postal.wtconnect.com]); 16 Sep 2009 13:40:59 -0000
Received: from postal.wtconnect.com (64.40.221.15)
  by mail20.svc.cra.dublin.eircom.net (qp 5238) with SMTP; 16 Sep 2009 13:40:59 -0000
X-MagicMail-UUID: 8fab7ac4-a2c6-11de-934b-00e081402d32
Received: (qmail 21798 invoked from network); 16 Sep 2009 13:40:56 -0000
Received: from unknown (HELO aib.ie) (dante@wtconnect.com@67.202.3.66)
	by postal.wtconnect.com with SMTP; Wed, 16 Sep 2009 08:40:56 -0500

64.40.221.15 is in Texas, United States. The attachment is almost identical to the ones previously received. Attempts to send any information submitted to facemanuela.com which is 165.228.78.187 and located in Canberra Australia.




Received 15th September 2009 - Claims that AIB are launching a Customer Satisfaction Program and is offering 10000 free cheques. Mail has an attachment that the viewer is required to click on.

Mail Path:

Received: (qmail 21552 messnum 5604273 invoked from network[62.250.3.55/relay55.tele2.vuurwerk.nl]); 15 Sep 2009 14:55:12 -0000
Received: from relay55.tele2.vuurwerk.nl (HELO relay.versatel.net) (62.250.3.55)
 by mail25.svc.cra.dublin.eircom.net (qp 21552) with SMTP; 15 Sep 2009 14:55:12 -0000
Received: from [82.175.69.251] (helo=gizom.nl)
	by relay.versatel.net with esmtp (Exim 4.69)
	(envelope-from <win@aib.ie>)


The attachment is crafted so that it pulls legitimate images from AIB's website and contains a form that will attempt to send any information filled in to capcode2.pck.nerim.net (213.41.255.74) located in France.




Received 14th September 2009 - Claims that AIB are launching a Customer Satisfaction Program and is offering 10000 free cheques. Mail has an attachment that the viewer is required to click on.

Mail Path:

Received: (vpopmail 22270 invoked by uid 16); 14 Sep 2009 08:29:42 +0100
Received: (qmail 22258 messnum 435189 invoked from network[62.193.238.86/wpc2071.amenworld.com]); 14 Sep 2009 07:29:41  -0000
Received: from wpc2071.amenworld.com (HELO preprod.groupeleduff.com) (62.193.238.86)
  by mail19.svc.cra.dublin.eircom.net (qp 22258) with SMTP; 14 Sep 2009 07:29:41 -0000 
Received: from aib.ie ([67.202.3.66]) by preprod.groupeleduff.com with MailEnable ESMTP; Mon, 14 Sep 2009 09:35:01 +0200

The attachment is crafted so that it pulls legitimate images from AIB's website and contains a form that will attempt to send any information filled in to a webmail account on 212.34.154.2 which is in Madrid Spain.




Received 11th September 2009 - Claims that AIB are launching a new Anti-Phishing site and requires you to confirm your identity.

Mail Path:

Received: (vpopmail 27362 invoked by uid 16); 11 Sep 2009 14:03:34 +0100
Received: (qmail 27313 messnum 335556 invoked from network[216.122.144.114/safetycertified.com]); 11 Sep 2009 13:03:34 -0000
Received: from safetycertified.com (HELO mail.safetycertified.com) (216.122.144.114)
 by mail19.svc.cra.dublin.eircom.net (qp 27313) with SMTP; 11 Sep 2009 13:03:34 -0000
Received: from ec2-174-129-176-254.compute-1.amazonaws.com [174.129.176.254] by mail.safetycertified.com with SMTP;
  Fri, 11 Sep 2009 09:03:04 -0400

The mail contains a link that you are prompted to click on to confirm your identity. This hyperlink is targeted to an ISP's address pool. In this case Hinet in Taiwan.