Fraudulent Mail

From RSWiki
Revision as of 18:51, 15 September 2009 by Robert (talk | contribs) (→‎AIB)
Jump to navigation Jump to search

Fradulent mail claiming to come from Irish Banks

No Irish bank will ever contact you by e-mail. Never. If you get an e-mail claiming to be from a bank Irish or otherwise then you can be 100% certain that it is forged and you should delete it straight away.

Each of the main Irish banks have their own pages regarding fradulent mails:

Recent Phishing Attempts

AIB

Received 15th September 2009 - Claims that AIB are launching a Customer Satisfaction Program and is offering 10000 free cheques. Mail has an attachment that the viewer is required to click on.

Mail Path:

Received: (qmail 21552 messnum 5604273 invoked from network[62.250.3.55/relay55.tele2.vuurwerk.nl]); 15 Sep 2009 14:55:12 -0000
Received: from relay55.tele2.vuurwerk.nl (HELO relay.versatel.net) (62.250.3.55)
 by mail25.svc.cra.dublin.eircom.net (qp 21552) with SMTP; 15 Sep 2009 14:55:12 -0000
Received: from [82.175.69.251] (helo=gizom.nl)
	by relay.versatel.net with esmtp (Exim 4.69)
	(envelope-from <win@aib.ie>)


The attachment is crafted so that it pulls legitimate images from AIB's website and contains a form that will attempt to send any information filled in to capcode2.pck.nerim.net (213.41.255.74) located in France.


---

Received 14th September 2009 - Claims that AIB are launching a Customer Satisfaction Program and is offering 10000 free cheques. Mail has an attachment that the viewer is required to click on.

Mail Path:

Received: (vpopmail 22270 invoked by uid 16); 14 Sep 2009 08:29:42 +0100
Received: (qmail 22258 messnum 435189 invoked from network[62.193.238.86/wpc2071.amenworld.com]); 14 Sep 2009 07:29:41  -0000
Received: from wpc2071.amenworld.com (HELO preprod.groupeleduff.com) (62.193.238.86)
  by mail19.svc.cra.dublin.eircom.net (qp 22258) with SMTP; 14 Sep 2009 07:29:41 -0000 
Received: from aib.ie ([67.202.3.66]) by preprod.groupeleduff.com with MailEnable ESMTP; Mon, 14 Sep 2009 09:35:01 +0200

The attachment is crafted so that it pulls legitimate images from AIB's website and contains a form that will attempt to send any information filled in to a webmail account on 212.34.154.2 which is in Madrid Spain.



Received 11th September 2009 - Claims that AIB are launching a new Anti-Phishing site and requires you to confirm your identity.

Mail Path:

Received: (vpopmail 27362 invoked by uid 16); 11 Sep 2009 14:03:34 +0100
Received: (qmail 27313 messnum 335556 invoked from network[216.122.144.114/safetycertified.com]); 11 Sep 2009 13:03:34 -0000
Received: from safetycertified.com (HELO mail.safetycertified.com) (216.122.144.114)
 by mail19.svc.cra.dublin.eircom.net (qp 27313) with SMTP; 11 Sep 2009 13:03:34 -0000
Received: from ec2-174-129-176-254.compute-1.amazonaws.com [174.129.176.254] by mail.safetycertified.com with SMTP;
  Fri, 11 Sep 2009 09:03:04 -0400

The mail contains a link that you are prompted to click on to confirm your identity. This hyperlink is targeted to an ISP's address pool. In this case Hinet in Taiwan.