What is it? Here's how it works.
You receive an official looking email from your bank. It will describe some story about having problems with your bank account and it will ask you to sign in with your user name and password to clear things up. You click on the link in the email that takes you to a official looking web site sign in page. You think you are signing into your account but in reality you are signing into a fraudulent web site designed to look like your bank site. Now the con-artist's who created the site have your user name and password to your bank-account, and need I say what they are going to do with it.
That is basically the definition of Phishing. Of course the email can pretend to be from any bank or credit union, paypal or even ebay.
The bottom line: to steal your account info and to use it to rob your blind. Also think identity thief. They will have access to any and all accounts and / or credit card numbers plus any other personal data associated with your account, and use them as they see fit. As I was preparing this a story was being told on the news on tv about a woman who had her credit card number stolen online and the person who stole it used it to purchase porn online.
But that is not what inspired to write this. In the last couple of days I have received a number of emails from two different banks, of course I would never respond to such emails anyway but I don't even do business with either of these banks.
Banks do not use spam to get in touch with potential customers. THIEVES DO. Because they realize eventually they are going to reach a person who is a customer of the institution they claim to represent and they are going to click on the links in the email to respond and sign in.
So this leads to Rule# 1 : NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER... respond to any email claiming to be from a bank, credit union, or any other financial institution. Always assume it is a hoax, treat it like you will get the Black Plague by just looking at it.
If you are concerned about your bank account get in touch with your bank but DO NOT call any of the numbers listed on the email nor click on any links to respond. Go to the bank or call them from the numbers from the phone book, or however you would normally contact your bank.
If you feel you must go online to work out the problem, lets say your email was claiming to from ebay.ca ignore the email links, instead go to your web browser and type in www.ebay.ca and sign in as you normally do, if there is any problems I'm sure they would notify you when you sign in.
I have received 2 or 3 emails to date supposedly from www.royalbank.com , there is not even a bank of this type in this town of Twillingate.
What is so strange about this email is that it is actually a picture and not text and I think I know why they used a picture rather than text. Newer web browsers like Firefox and even the latest version of Internet Explorer are now having Anti-Phishing software integrated into their software.
My guess this software looks for common denominators in the email like requests for sign in, account problems, and so on.
If this software scans this email all its going to find is a picture with a link to a web site. Nothing more. It cannot scan the graphic to read it. So the common denominators are there but its embedded in a picture that cannot be read by the software.
Pretty clever if you ask me.
But still, remember RULE# 1.
This is the actual email received.
Notice the link that seems to indicate that you will be taken to
www.royalbank.com/onlineprocedureref71004374/start/action
but if you click on the link or just place your mouse over it the real link should show up on the status bar usually at the bottom of your browser or email window, This is the real link:
http://www.royalbank.com.onlineprocedureref251802620301.thaddecons.co.nz/action
Notice the .nz at the end of the real link. This domain or web site is actually in New Zealand.
Received a second email, exact same email but with the real link of
http://www.royalbank.com.onlineprocedureref40209002.gonishti.net/action
This one has a .net domain.
http://www.royalbank.com.onlineprocedureref346608453.dfrgedsg.biz/action
This one has a domain .biz
And yet another at
http://www.royalbank.com.onlineprocedureref5391044.ilafegoa.in/action
This one has a .in domain. This one goes to India
In case your wondering the domain refers to the country like .ca for Canada, .nz for New Zeland, and so on. For a more complete list - http://techdictionary.com/domainlist.html or http://www.checkdomain.com/list.html
.net, .org, .com, and .biz - all can be used by any country.
This is a different email claiming to be from a different bank. I received a few of these as well. Its from the Fifth Third Bank, first time I ever heard of it but apparently, according to this email I'm a customer. Kind of a dead giveaway that it is a fraud.
Again, same story:
Notice the link that seems to indicate that you will be taken to
www.53.com/bankingportal/session/sbcbconfirm
but if you click on the link or just place your mouse over it the real link should show up on the status bar usually at the bottom of your window, This is the real link:
http://www.53.com.bankingportal.id900675071.srevdb.ws/sbcbconfirm .
Notice the .ws on the real link. This domain is actually in Western Samoa. A second email exact same email but with the real link of
http://www.53.com.bankingportal.id8479961586083.atvvsesh.biz/sbcbconfirm
This one has a .biz domain.
so be careful and remember RULE#1
Rule# 1 : NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER... respond to any email claiming to be from a bank, credit union, or any other financial institution. Always assume it is a hoax, treat it like you will get the Black Plague by just looking at it.
If you are concerned about your bank account get in touch with your bank but DO NOT call any of the numbers listed on the email nor click on any links to respond. Go to the bank or call them from the numbers from the phone book, or however you would normally contact your bank.
If you feel you must go online to work out the problem, lets say your email was claiming to from ebay.ca ignore the email links, instead go to your web browser and type in www.ebay.ca and sign in as you normally do, if there is any problems I'm sure they would notify you when you sign in.
So how do they do it. Its a simple trick of changing the HTML coding so that a web page seems to display one link but its sent to another.
example:
This link will send you to WWW.GOOGLE.CA
This link will send you to WWW.GOOGLE.CA
Try each one. The second doesn't send you to Google but Yahoo.
If you were to right click on a web page, you probably would see an option like view source page. Here you will see the lines of code that make up a web page. These lines tell the web browser what colors to use, what kind of type or font, what pictures to display and how, and so on. On my page this is the code that displays the first link:
<a href="http://www.google.ca">WWW.GOOGLE.CA</a>
This is the code that displays the second link:
<a href="http://www.yahoo.com">WWW.GOOGLE.CA</a>
Without going into any great lecture on HTML coding, which I probably could not do anyway, the first part tells your web browser where to go when you click on a link.
<a href="http://www.google.ca">
<a href="http://www.yahoo.com">
The second part tells the browser what to display on the screen.
WWW.GOOGLE.CA
WWW.GOOGLE.CA
That's how easy it is to disguise a link. A picture or image can also be used as a link.
And anybody who knows how to create a web page can easily duplicate any web page on the internet, including, creating official looking login pages from banks, credit unions, eBay, etc.
Need I repeat RULE#1???
Received another - same situation - different bank:
Again notice the supposedly web address compared to the real address that the link goes to.
http://easyweb.tdcanadatrust.com.ebankingid3295429717.letela.biz/index.jsp
9:42 AM March 3, 2007
Just spent another day trying to clean the adware and viri out of someone's laptop. Again, no adware/antivirus programs to be found, but this is not about that.
Checked my email today, like I do the first thing every morning, and discovered an interesting email, supposedly from www.ebay.com, apparently, someone tried to access or hack into my account.
I assumed it was a fraud right from the beginning. Here's the email:
|
Dear eBay Member, The login attempt was made from: - Restore Access! Best regards, Ricky W.Bell Trust and Safety Department. eBay Inc. |
First of all, I would like to point out that legitimate emails from eBay usually contain your user name, not even a reference to it in this one.
Secondly, here's the actual link to this so called eBay site:
What you have to look for is what I call the first slash - / , not counting the http://. The first slash here is after logintomyspaeice.com
Everything after the first slash is like the different departments within a business, in this case eBay/?id=lioexqyqetfeissesoherihu (just cause the ebay name is there, it doesn't mean anything in this case)
If the above ebay address was real it would read http://ebay.com/. The first slash would be after the first instance of .com . This is the actual url address to sign into ebay.ca:
https:// signin.ebay.ca/ ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=2&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor=
Notice in this case, using the Canadian branch of eBay the first slash is after the .ca.
By the way, the false link, at the time of this writing seems to be dead. I get the following error when clicking on the link:
Not Found
The requested URL /eBay/ was not found on this server.
Apache/2.0.53 (Fedora) Server at ebay.com.secure-login.5551330817188265304-huetugodeoa.logintomyspaeice.com Port 80
Either the authorities or the ISP may have discovered what they where doing and shut them down or the site might just be temporarily down.
Just one small note, if you take the domain from the fake site, logintomyspaeice.com and type it in your web browser, it takes you to an alleged My Space website. A search at http://www.whois.net/ tells me this so called MySpace originates from Beijing in China.
If you want to check out My Space - try this instead: www.myspace.com
The following is a screenshot from logintomyspaeice.com:
9:49 PM March 9, 2007
And it continues!
The fake address...
Compared to the real one.
BB&T Online has already posted a warning on their site:
QUOTE
Consumer Alert:
Recently, some BB&T OnLine clients received fraudulent e-mail messages requesting confidential client information. These e-mail messages might appear like a BB&T e-mail message, and are sent to individual e-mail addresses. They may also request information such as account numbers, User ID’s, and passwords. BB&T does not request confidential client information in this manner. If you happen to receive an e-mail message like this, do not respond or reply. For more information on protecting your online information, click here. If you have responded to such a message, please logon, change your password, and call 1-888-BBT-ONLINE (1-888-228-6654) immediately.
UNQUOTE
Please notice: this message says please logon, change your password - Make sure you log into the real web site at:
https://online.bbandt.com/online/servlet/efs/loginbbt1.html
Summer vacation must be over for these con artists! Received the following in the last week.
Dear Royal Bank of Scotland customer,
The Royal Bank of Scotland Customer Service requests you to complete Digital Banking Customer Confirmation Form (CCF).
This procedure is obligatory for all customers of the Royal Bank of Scotland.
Please select the hyperlink and visit the address listed to access Digital Banking Customer Confirmation Form (CCF).
http://sessionid-219082423.rbs.co.uk/customerdirectory/direct/ccf.aspx
Again, thank you for choosing the Royal Bank of Scotland for your business needs. We look forward to working with you.
***** Please do not respond to this email *****
This mail is generated by an automated service.
The real link goes to Hong Kong.
http://sessionid-219082423.rbs.co.uk.monfjh.hk/customerdirectory/direct/ccf.aspx
Dear TD Canada Trust customer,
TD Canada Trust Customer Service requests you to complete EasyWeb Customer Form.
This procedure is obligatory for all customers of TD Canada Trust.
Please click hyperlink below to access EasyWeb Customer Form.
http://easyweb.ServerID-51379.tdcanadatrust.com/custserv/easywebform.jsp
Thank you for choosing TD Canada Trust for your banking needs.
Please do not respond to this email.
This mail generated by an automated service.
TD Group Financial Services site - Copyright © TD
Again the real link goes to Hong Kong.
http://easyweb.serverid-51379.tdcanadatrust.com.lodedll.hk/custserv/easywebform.jsp
Both of the above where dated Aug 10, 2007. They where plain text format this time, unlike the picture ones mentioned previously. I don't know if it's going to make any difference but this time I decided to send an email to the web hosting service. They seem to come from the same hosting service. The following is the automated response email I received from them:
Dear customer,
Your email has been received. If it is a report of phishing/spamming activity, we will look into it very soon and will take necessary action as needed.
Should you have any queries, please feel free to contact us again.
Best regards,
Abuse Team
Hong Kong Domain Name Registration Company Limited
Unit 2002-2005, 20/F ING Tower, 308 Des Voeux Road Central,
Sheung Wan, Hong Kong Phone
No.: +852 2319 1313
Fax No.: +852 2319 2626
Email: abuse@hkdnr.hk
Subject: Google AdWords Contact Details Confirmation
Dear Google AdWords customer!
In order to confirm your contact details, please click the link below:
http://www.google.com/accounts/VE/?service=adwords&c= This should take you directly to the Google AdWords Form.
Thank you for choosing AdWords. We look forward to providing you with the most effective advertising available.
Sincerely,
The Google AdWords Team
I received this email on May 24 2008. I knew right away it was FAKE....Not A Customer....No paid advertising on my site except for links to resources I use myself on a regular basis.
This is the real link, which seems to be already History. Either they packed up and moved or just got caught.
This is where the link in the email really goes: Compare the supposed email link to the real link.
http://www.google.com/accounts/ (suppossed email link)
A search at www.betterwhois.com resulted in the following info:
transcripionpartner.com
[Querying whois.godaddy.com]
Registrant:
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Administrative Contact:
Technical Contact:
Domain servers in listed order:
A current search confirms that this site no longer exists.
From: "Google AdWords"
To: "Terryho_ca"
48681767032392651152777873677291148095248049999587&id=
3653381958644
http://www.google.com.transcripionpartner.com/accounts/VE/?service=adwords&c=48681767032392651152777873677
291148095248049999587&id=3653381958644
http://www.google.com.transcripionpartner.com/accounts/ (actual email link)
[whois.godaddy.com]
Domain Name: TRANSCRIPIONPARTNER.COM