Fraudulent Mail
Fradulent mail claiming to come from Irish Banks
No Irish bank will ever contact you by e-mail. Never. If you get an e-mail claiming to be from a bank Irish or otherwise then you can be 100% certain that it is forged and you should delete it straight away.
Each of the main Irish banks have their own pages regarding fradulent mails:
Recent Phishing Attempts
AIB
Received 15th September 2009 - Claims that AIB are launching a Customer Satisfaction Program and is offering 10000 free cheques. Mail has an attachment that the viewer is required to click on.
Mail Path:
Received: (qmail 21552 messnum 5604273 invoked from network[62.250.3.55/relay55.tele2.vuurwerk.nl]); 15 Sep 2009 14:55:12 -0000 Received: from relay55.tele2.vuurwerk.nl (HELO relay.versatel.net) (62.250.3.55) by mail25.svc.cra.dublin.eircom.net (qp 21552) with SMTP; 15 Sep 2009 14:55:12 -0000 Received: from [82.175.69.251] (helo=gizom.nl) by relay.versatel.net with esmtp (Exim 4.69) (envelope-from <win@aib.ie>)
The attachment is crafted so that it pulls legitimate images from AIB's website and contains a form that will attempt to send any information filled in to capcode2.pck.nerim.net (213.41.255.74) located in France.
---
Received 14th September 2009 - Claims that AIB are launching a Customer Satisfaction Program and is offering 10000 free cheques. Mail has an attachment that the viewer is required to click on.
Mail Path:
Received: (vpopmail 22270 invoked by uid 16); 14 Sep 2009 08:29:42 +0100 Received: (qmail 22258 messnum 435189 invoked from network[62.193.238.86/wpc2071.amenworld.com]); 14 Sep 2009 07:29:41 -0000 Received: from wpc2071.amenworld.com (HELO preprod.groupeleduff.com) (62.193.238.86) by mail19.svc.cra.dublin.eircom.net (qp 22258) with SMTP; 14 Sep 2009 07:29:41 -0000 Received: from aib.ie ([67.202.3.66]) by preprod.groupeleduff.com with MailEnable ESMTP; Mon, 14 Sep 2009 09:35:01 +0200
The attachment is crafted so that it pulls legitimate images from AIB's website and contains a form that will attempt to send any information filled in to a webmail account on 212.34.154.2 which is in Madrid Spain.
Received 11th September 2009 - Claims that AIB are launching a new Anti-Phishing site and requires you to confirm your identity.
Mail Path:
Received: (vpopmail 27362 invoked by uid 16); 11 Sep 2009 14:03:34 +0100 Received: (qmail 27313 messnum 335556 invoked from network[216.122.144.114/safetycertified.com]); 11 Sep 2009 13:03:34 -0000 Received: from safetycertified.com (HELO mail.safetycertified.com) (216.122.144.114) by mail19.svc.cra.dublin.eircom.net (qp 27313) with SMTP; 11 Sep 2009 13:03:34 -0000 Received: from ec2-174-129-176-254.compute-1.amazonaws.com [174.129.176.254] by mail.safetycertified.com with SMTP; Fri, 11 Sep 2009 09:03:04 -0400
The mail contains a link that you are prompted to click on to confirm your identity. This hyperlink is targeted to an ISP's address pool. In this case Hinet in Taiwan.