Fraudulent Mail

From RSWiki
Revision as of 10:40, 14 September 2009 by Robert (talk | contribs) (Created page with '==Fradulent mail claiming to come from Irish Banks== '''No Irish bank will ever contact you by e-mail. Never. If you get an e-mail claiming to be from a bank Irish or otherwise …')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Fradulent mail claiming to come from Irish Banks

No Irish bank will ever contact you by e-mail. Never. If you get an e-mail claiming to be from a bank Irish or otherwise then you can be 100% certain that it is forged and you should delete it straight away.

Each of the main Irish banks have their own pages regarding fradulent mails:

Recent Phishing Attempts

AIB

Received 14th September 2009 - Claims that AIB are launching a Customer Satisfaction Program and is offering 10000 free cheques. Mail has an attachment that the viewer is required to click on.

Mail Path:

Received: (vpopmail 22270 invoked by uid 16); 14 Sep 2009 08:29:42 +0100
Received: (qmail 22258 messnum 435189 invoked from network[62.193.238.86/wpc2071.amenworld.com]); 14 Sep 2009 07:29:41  -0000
Received: from wpc2071.amenworld.com (HELO preprod.groupeleduff.com) (62.193.238.86)
  by mail19.svc.cra.dublin.eircom.net (qp 22258) with SMTP; 14 Sep 2009 07:29:41 -0000 
Received: from aib.ie ([67.202.3.66]) by preprod.groupeleduff.com with MailEnable ESMTP; Mon, 14 Sep 2009 09:35:01 +0200

The attachment is crafted so that it pulls legitimate images from AIB's website and contains a form that will attempt to send any information filled in to a webmail account on 212.34.154.2 which is in Madrid Spain.



Received 11th September 2009 - Claims that AIB are launching a new Anti-Phishing site and requires you to confirm your identity.

Mail Path:

Received: (vpopmail 27362 invoked by uid 16); 11 Sep 2009 14:03:34 +0100
Received: (qmail 27313 messnum 335556 invoked from network[216.122.144.114/safetycertified.com]); 11 Sep 2009 13:03:34 -0000
Received: from safetycertified.com (HELO mail.safetycertified.com) (216.122.144.114)
 by mail19.svc.cra.dublin.eircom.net (qp 27313) with SMTP; 11 Sep 2009 13:03:34 -0000
Received: from ec2-174-129-176-254.compute-1.amazonaws.com [174.129.176.254] by mail.safetycertified.com with SMTP;
  Fri, 11 Sep 2009 09:03:04 -0400

The mail contains a link that you are prompted to click on to confirm your identity. This hyperlink is targeted to an ISP's address pool. In this case Hinet in Taiwan.