Have you been phished ?: November 2008

Monday, November 24, 2008

American Express Phishing

ANOTHER CASE

Here is a reproduction of a fraudulent email recently reported to American Express. The phishers tried to get information about ones account.
The warning from Amex clearly highlights not to give any information under this type of requests since they are not originated in Amex.

You can see the whole story in the following URL (in french) from american express Belgium:

http://www.americanexpress.be/service_clientele/cas_de_phishing_octobre_2008.html

Paulo

Sunday, November 23, 2008

Paypal - L'acces a votre compte est restreint

One of our friends recently received following e-mail in his inbox:

Bonjour Utilisateur PayPal,

Dans le cadre de nos mesures de securite, nous contrlons regulierement les activites en cours dans le systeme PayPal. Au cours d'une recente verification, nous avons releve un probleme sur votre compte PayPal.

En etudiant votre compte, nous nous sommes rendu compte que nous avions besoin d'informations supplementaires pour vous fournir un service securise.

Cliquez ici pour verifier votre compte PayPal

Numero de reference : PP-538-718-203

Vous pouvez consulter votre compte et prendre connaissance de tout ou partie des informations utilisees par PayPal dans sa decision de restreindre l'acces a votre compte en consultant le Gestionnaire de litiges. Si, apres avoir pris connaissance des informations concernant votre compte, vous souhaitez obtenir de plus amples informations sur l'acces a votre compte, veuillez contacter PayPal en cliquant sur le lien 'Service clientele' , present dans les pages d'aide.

Nous apprecions l'attention que vous voudrez porter a cette question. Nous esperons que vous comprendrez qu'il s'agit d'une mesure de securite destinee a vous proteger et a proteger votre compte PayPal.

Nous vous prions de nous excuser pour la gne occasionnee.

Cordialement,
PayPal

----------------------------------------------------------------
Copyright 1999-2008 PayPal. Tous droits reserves.

PayPal (Europe) S.a r.l. & Cie, S.C.A.
Societe en Commandite par Actions
Siege social : 5eme etage 22-24 Boulevard Royal L-2449, Luxembourg
RCS Luxembourg B 118 349

Email PayPal n PP522

At first sight it looks like a genuin mail from PayPal. However, the text highlighted in red should already raise some suspicions. Secondly, if you would look at the source of the e-mail, you'll see that the link "Cliquez ici pour verifier votre compte PayPal" is not linking to PayPal, but to another website: http://www.tongknweb.com/design03/confirmation=_account-run/login.jsp/

Fortunately there are some tools on the internet that allow you to find out more information about this link.

If you look who owns this domain name, you'll see that it is registered by a Korean company in Seoul. (http://whois.domaintools.com/tongknweb.com).

On www.millersmiles.co.uk you can even see the location of the company (http://www.millersmiles.co.uk/server_information/www.tongknweb.com)

And on following link, you can see that Paypal customers are not the only victim of this company.

http://www.millersmiles.co.uk/report/8197

Tuesday, November 11, 2008

WELCOME to Have you been phished?

Firstly this is a blog originated and designed with academic purposes. It serves the research purposes of a group of MBA students in Brussels for the subject of Key Internet Skills for Managers. The intent is to analyse and test how the content of a blog makes it visible on the blogosphere, the different techniques to drive traffic to blogs, the several publishing tools on the blogs and what distinct metrics are out there for measuring success, as well as how the web 2.o environment can help managers these days.

Please feel free to contribute only if you find the content (phishing) of any interest to yourself or anyone you know.

Secondly, we think that the blog, besides these academic purposes, might become an interesting repository of histories and lessons learned from those who have suffered from phishing consequences and feel that they have a role on preventing others to fall on the same mistake.

We have chosen this theme since it is known that as identities are stolen, several millions of Euros are deviated every year from personal accounts using phishing. If with this we could add some repository of antiphishing applications and or existing active phishing activities, we would be also helping preventing those crimes. You can see the first post by Jan as a good example how this camuflage technique can be very dangerous. HEADS UP and ENJOY

Paulo

Google AdWords Phishing

The last few weeks, I'm getting several e-mails containing Google AdWords phishing attempts. The e-mails, which are fake obviously, will ask you to login to AdWords and update your billing information.

Dear Google AdWords Customer!

In order to update your billing information, please sign in to your AdWords account at https://adwords.google.com, and update your billing information. Your account will be reactivated as soon as you have entered your payment details. Your ads will show immediately if you decide to pay for clicks via credit or debit card. If you decide to pay by direct debit, we may need to receive your signed debit authorization before your ads start running, depending on your location. If you choose bank transfer, your ads will show as soon as we receive your first payment. (Payment options vary by location.) Thank you for choosing AdWords. We look forward to providing you with the most effective advertising available.

Sincerely,
The Google AdWords Team
------------------------
This message was sent from a notification-only email address that does not accept incoming email. Please do not reply to this message. If you have any questions after following the steps above, please visit the Google AdWords Help Center at https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US to find answers to frequently asked questions and a 'contact us' link near the bottom of the page.

It looks all very official, but it turns out if you look at the html-code of the message, you'll see that although the link is showing https://adwords.google.com/support/bin/topic.py?topic=8336&hl=en_US, it is pointing to something like http://adwords.google.com.fr4ck.cn/select/Login/. This means that by filling out this page, users are making their credit-card information available for misuse by third parties.

If you see such an e-mail, you can report it to Google by filling out the Report Phishing Form

More information can be found on the official Google Adwords page by following this link.