Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Your account at Wells Fargo has been suspended (Phishing Scam)
From: Babak Pasdar <bpasdar () igxglobal com>
Date: Tue, 06 Jul 2004 18:16:55 -0400

ATTENTION,

We have uncovered a phishing scam.  This is a perfect example of a
phishing scam.  All indicators (that the recipient sees) show a valid and
legitimate e-mail from Wells Fargo.  This e-mail tells the user their
account has been frozen due to fraudulent activity and gives them a link
to go to.  However when you click on the link it takes you to a site in
Korea and not Wells Fargo:

http://online_wellsfargo_com_account.rndsystems.co.kr:7301/wells.htm

If you clink on the link an exact model of the Wells Fargo web site
replicated.  This is the exact type of issue we had success with in
working with the FBI which led to an arrest of an unsavory Russian
character.

There are no products to protect against phishing other than user
education and vigilance along with refining the current model for mail.

Babak



Here is a quick assessment that confirms the e-mail is fraudulent.  In
the header notice the source sending it to igxglobal is not identifiable
via reverse DNS:

Received:  from dns (unknown [211.238.157.101]) by
imgxs43.goimaginex.net (Postfix) with SMTP id 15105B0016 for
<bpasdar () goimaginex net>; Tue,  6 Jul 2004 15:08:21 -0400 (EDT)


Further research shows that the contact for the network IP in question
is Kanghyun Lee out of Seoul, South Korea:

person:       KANGHYUN
LEE
descr:        BUSYKOREA
descr:        , Guro 5(o)-dong , Guro-gu
descr:        SEOUL
descr:        152-055
country:      KR
phone:        +82-2-862-1780
e-mail:       YHMARIA02 () HOTMAIL COM
nic-hdl:      KL512-KR
mnt-by:       MNT-KRNIC-AP


Further investigation on
the web site shows the
following owner:


Domain Name               : rndsystems.co.kr
Registrant                : R&D SYSTEMS
Registrant Address        : Pusan Venture Bldg.#305 651-1 Eomgung-dong, Sasang-gu, Busan, Republic of Korea
Registrant Zip Code       : 617831
Administrative Contact(AC): Kang Young Gyun AC
E-Mail                    : rndsys () chollian net
AC Phone Number           : 0513261777
Registered Date           : 2002. 05. 17.
Last updated Date         : 2003. 04. 24.
Expiration Date           : 2005. 05. 17.
Publishes                 : Y
Authorized Agency         : I-NAMES(the "I" stands for "Internet") Corporation (http://www.i-names.co.kr)
Primary Name Server   Host Name              : www.rndsystems.co.kr
   IP Address             : 211.33.221.36

- KRNIC Whois Service -


Return-Path: <services () wellsfargo com> Received:  from groupware.igxglobal.com ([unix socket]) by groupware (Cyrus 
v2.1.16) with LMTP; Tue, 06 Jul 2004 15:08:31 -0400
Received:  from dns (unknown [211.238.157.101]) by imgxs43.goimaginex.net (Postfix) with SMTP id 15105B0016 for 
<bpasdar () goimaginex net>; Tue,  6 Jul 2004 15:08:21 -0400 (EDT)
From: Wells Fargo National Association <services () wellsfargo com>
To: Bpasdar <bpasdar () goimaginex net>
Subject: Your account at Wells Fargo has been suspended
Date: Wed, 7 Jul 2004 03:59:20 +0900
Reply-To: Wells Fargo National Association <services () wellsfargo com>
Message-ID: <xxxxxxxx.xxxxxxxx () wellsfargo com>
MIME-Version:  1.0 X-Priority:  3 (Normal)
Importance:  Normal
X-Mailer:  
EM: 4.52.0.790
Content-Type: multipart/alternative; boundary="----_PartID_337380760025388"
X-Virus-Scanned:  IGX Global Secure Mail Relay
X-Evolution-Source: imap://bpasdar () 192 168 22 7:993/


-----Forwarded Message-----
From: Wells Fargo National Association <services () wellsfargo com>
To: Bpasdar <bpasdar () goimaginex net>
Subject: Your account at Wells Fargo has been suspended
Date: Wed, 07 Jul 2004 03:59:20 +0900

Dear Wells Fargo account holder, 

We regret to inform you, that we had to block your Wells Fargo account
because we have been notified that your account may have been
compromised by outside parties.

Our terms and conditions you agreed to state that your account must
always be under your control or those you designate at all times. We
have noticed some activity related to your account that indicates that
other parties may have access and or control of your information in your
account.

These parties have in the past been involved with money laundering,
illegal drugs, terrorism and various Federal Title 18 violations. In
order that you may access your account we must verify your identity by
clicking on the link below.

Please be aware that until we can verify your identity 
no further access to your account will be allowed and we will have no
other liability for your account
or any transactions that may have occurred as a result of your failure
to reactivate your account as
instructed below.

Thank you for your time and consideration in this matter.

Please follow the link below and renew your account information

https://online.wellsfargo.com/cgi-bin/signon.cgi

Before you reactivate your account, all payments have been frozen, and you will not be able to use your
account in any way until we have verified your identity.


-- 

Babak Pasdar
Founder / Chief Technology & Information Security Officer
e-mail: bpasdar () igxglobal com
phone:  201.498.0555 x2205
pgp fingerprint:  
F901 028B 7658 8621 3EF9 D505 BBF2 35F2 C922 B416

Get Daily Security Intelligence on the DSB Online
http://dsb.igxglobal.com

Subscribe to the igxglobal Daily Security Briefing Newsletter
http://www.igxglobal.com/dsb/register.html

igxglobal Announces the DSB Online Security Community Web Site
http://www.prweb.com/releases/2004/6/prweb131815.htm

igxglobal delivers integrated real-time security reporting
http://www.igxglobal.com/rrf.html

Attachment: signature.asc
Description: This is a digitally signed message part


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault