« Impresión en firefox
Corrección política »

Phishing

No se como me lo hago pero nunca había recibido un correo de phishing, y hoy me ha sorprendido ver uno, tal que este:


X-Apparently-To: ---------@yahoo.es via 217.146.182.40; Wed, 12 Sep 2007 06:04:09 -0700
X-YahooFilteredBulk: 82.60.87.189
X-Originating-IP: [82.60.87.189]
Authentication-Results: mta253.mail.mud.yahoo.com from=citizensbank.com; domainkeys=neutral (no sig)
Received: from 82.60.87.189 (HELO host189-87-dynamic.60-82-r.retail.telecomitalia.it) (82.60.87.189)
by mta253.mail.mud.yahoo.com with SMTP; Wed, 12 Sep 2007 06:04:08 -0700
Received: from pgawtn.com (washbasin.susanin.com [72.3.62.216])
by bmla.com with SMTP id YGA64HA9LH
for >--------@yahoo.es>; Wed, 12 Sep 2007 06:04:03 -0800
Received: from aol.com (bernard.aol.com [70.36.27.153])
by mamma.com with SMTP id 88GPFHDDU6
for >---------@yahoo.es>; Wed, 12 Sep 2007 13:04:03 -0100
X-Spam-Level: 0
From: "Citizens Bank" >corporateclients.refbn430493029.gps@citizensbank.com>
To: "Merwhich" >merwhich@yahoo.es>
Subject: [Bulk] Notice: confirm your online banking records! (message id: 2182872)
X-Spam-Level: 0
User-Agent: Calypso Version 3.30.00.00
X-Mailer: Calypso Version 3.30.00.00
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--HJE.EPY0NCUSBOKB.2K4"

—-HJE.EPY0NCUSBOKB.2K4
Content-Type: text/html;
Content-Transfer-Encoding: 7Bit

>head>
>meta http-equiv=”Content-Type” content=”text/html; charset=iso-8859-1″>
>/head>

>body>
>p>>font face=”Verdana, Arial, Helvetica, sans-serif”>Dear >u>business or corporate>/u> customer of Citizens Bank,>/font>>/p>
>p>>font face=”Verdana, Arial, Helvetica, sans-serif”>Citizens Bank Customer Service requests you to complete >b>>font color=”#666644″>Money Manager GPS Online Form>/font>>/b>.>/font>>/p>
>p>>font face=”Verdana, Arial, Helvetica, sans-serif”>This procedure is obligatory for all >b>>font color=”#666644″>Money Manager Global Processing Solutions™ (GPS)>/font>>/b> users.>/font>>/p>
>p>>font face=”Verdana, Arial, Helvetica, sans-serif”>Please click hyperlink below to access >b>>font color=”#666644″>Money Manager GPS Online Form>/font>>/b>.>br>>/font>>/p>
>p>>font face=”Verdana, Arial, Helvetica, sans-serif”>>a href=”http://moneymanagergps-id————onlineform.aspx”>>font size=”2″> http://moneymanagergps-id————————onlineform.aspx> /font>>/a>>/font>>/p>
>p>>font face=”Verdana, Arial, Helvetica, sans-serif”>Please do not respond to this email.>/font>>/p>
>p>>font face=”Verdana, Arial, Helvetica, sans-serif”>————————->/font>>/p>
>p>>font face=”Verdana, Arial, Helvetica, sans-serif” size=”2″>© Copyright 2007 Citizens Financial Group. All rights reserved.>/font>>/p>
>p>>font color=”#FFFFF4″ face=”Verdana, Arial, Helvetica, sans-serif”>2AX8: 0×28, 0×9, 0×51770277, 0×1646, 0×3905, 0×4, 0×16, 0×63 tmp interface api AW0 update serv Y49H QI8 engine. 0×2, 0×45353065, 0×52, 0×6113, 0×137, 0×9, 0×87, 0×464, 0×7, 0×4460, 0×39 0×4317, 0×6723, 0×226 0×5267, 0×8736, 0×23939740, 0×74066567, 0×043, 0×51, 0×8, 0×231, 0×06283936, 0×2, 0×22368773 0×9474, 0×99, 0×03, 0×7, 0×957, 0×1, 0×4758, 0×32, 0×4, 0×222, 0×50, 0×1473, 0×0280 source: 0×2688, 0×9, 0×832, 0×03746568, 0×1, 0×590, 0×344, 0×814, 0×3, 0×26, 0×3473 0×43906071, 0×147, 0×31, 0×682, 0×919, 0×1160, 0×1, 0×21443854, 0×40, 0×2, 0×917, 0×74672834, 0×370, 0×7745, 0×87 0×50945855, 0×1, 0×564, 0×70, 0×85, 0×05934081, 0×45274651, 0×7>/font>>/p>
>p>>font color=”#FFFFF1″ face=”Verdana, Arial, Helvetica, sans-serif”>>span>UOCB: 0×27884083, 0×40, 0×7963, 0×5, 0×21, 0×85685039, 0×075, 0×946, 0×176, 0×0, 0×93, 0×18862184, 0×1267 start: 0×9658, 0×445, 0×9214, 0×8075, 0×8674, 0×9227, 0×60577292, 0×36417070, 0×91, 0×07589308, 0×6, 0×6, 0×3 0×49955993, 0×9375, 0×6, 0×8, 0×7357, 0×9, 0×7, 0×67, 0×086, 0×2156 define, media, S39W, stack, 5LUL, TU6V, FYR5, file. 0×9, 0×3, 0×6, 0×49, 0×6504, 0×58048942, 0×37, 0×8, 0×839, 0×846, 0×24157653, 0×76024811, 0×14385338, 0×0889, 0×6 3OF4: 0×5894, 0×321, 0×0923, 0×37, 0×34399719, 0×47244453, 0×2, 0×44537286, 0×966, 0×1 start 8PO. engine: 0×44023430, 0×887, 0×47, 0×09538464, 0×495, 0×06733719, 0×86279992, 0×515 end: 0×4, 0×1, 0×897, 0×26915123, 0×57579291, 0×26096115, 0×68274448, 0×73582043, 0×50, 0×684, 0×9, 0×929, 0×16, 0×273, 0×34 0×623, 0×883, 0×67, 0×67955850>/span>>/font>>/p>
>p>>font color=”#FFFFF2″ face=”Verdana, Arial, Helvetica, sans-serif”>>span>BUG: 0×16876550 0×78, 0×7, 0×73, 0×11377702 0×78, 0×93851570, 0×7590, 0×618, 0×72650972, 0×1024, 0×10908409, 0×19256484, 0×422, 0×520, 0×3, 0×4997 0×3, 0×54655833 tmp dec CKW tmp.0×1, 0×119, 0×03032959, 0×24046650, 0×74057683 0×7713, 0×38, 0×381, 0×14386618, 0×93, 0×44420434, 0×6, 0×38077626, 0×0307 0×1, 0×5, 0×478, 0×9352, 0×9110, 0×915, 0×11278293, 0×8, 0×260, 0×58, 0×31801697, 0×76341887, 0×9151, 0×063 interface, interface, update, start, B7BI, update, Y7T, DQT 7YB: 0×69120261, 0×5, 0×3324>/span>>/font>>/p>
>/body>
>/html>

—-HJE.EPY0NCUSBOKB.2K4–

X-Apparently-To: ———–@yahoo.es via 217.146.182.40; Wed, 12 Sep 2007 06:04:09 -0700
X-YahooFilteredBulk: 82.60.87.189
X-Originating-IP: [82.60.87.189]
Authentication-Results: mta253.mail.mud.yahoo.com from=citizensbank.com; domainkeys=neutral (no sig)
Received: from 82.60.87.189 (HELO host189-87-dynamic.60-82-r.retail.telecomitalia.it) (82.60.87.189)
by mta253.mail.mud.yahoo.com with SMTP; Wed, 12 Sep 2007 06:04:08 -0700
Received: from pgawtn.com (washbasin.susanin.com [72.3.62.216])
by bmla.com with SMTP id YGA64HA9LH
for <————@yahoo.es>; Wed, 12 Sep 2007 06:04:03 -0800
Received: from aol.com (bernard.aol.com [70.36.27.153])
by mamma.com with SMTP id 88GPFHDDU6
for <——–@yahoo.es>; Wed, 12 Sep 2007 13:04:03 -0100
X-Spam-Level: 0
From: “Citizens Bank”
To: “Merwhich” <———–@yahoo.es>
Subject: [Bulk] Notice: confirm your online banking records! (message id: 2182872)
X-Spam-Level: 0
User-Agent: Calypso Version 3.30.00.00
X-Mailer: Calypso Version 3.30.00.00
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”–HJE.EPY0NCUSBOKB.2K4″

—-HJE.EPY0NCUSBOKB.2K4
Content-Type: text/html;
Content-Transfer-Encoding: 7Bit

Dear business or corporate customer of Citizens Bank,

Citizens Bank Customer Service requests you to complete Money Manager GPS Online Form.

This procedure is obligatory for all Money Manager Global Processing Solutions™ (GPS) users.

Please click hyperlink below to access Money Manager GPS Online Form.

http://moneymanagergps-id——-.citizensbank.com/gps/userdir/onlineform.aspx

Please do not respond to this email.

————————-

© Copyright 2007 Citizens Financial Group. All rights reserved.

2AX8: 0×28, 0×9, 0×51770277, 0×1646, 0×3905, 0×4, 0×16, 0×63 tmp interface api AW0 update serv Y49H QI8 engine. 0×2, 0×45353065, 0×52, 0×6113, 0×137, 0×9, 0×87, 0×464, 0×7, 0×4460, 0×39 0×4317, 0×6723, 0×226 0×5267, 0×8736, 0×23939740, 0×74066567, 0×043, 0×51, 0×8, 0×231, 0×06283936, 0×2, 0×22368773 0×9474, 0×99, 0×03, 0×7, 0×957, 0×1, 0×4758, 0×32, 0×4, 0×222, 0×50, 0×1473, 0×0280 source: 0×2688, 0×9, 0×832, 0×03746568, 0×1, 0×590, 0×344, 0×814, 0×3, 0×26, 0×3473 0×43906071, 0×147, 0×31, 0×682, 0×919, 0×1160, 0×1, 0×21443854, 0×40, 0×2, 0×917, 0×74672834, 0×370, 0×7745, 0×87 0×50945855, 0×1, 0×564, 0×70, 0×85, 0×05934081, 0×45274651, 0×7

UOCB: 0×27884083, 0×40, 0×7963, 0×5, 0×21, 0×85685039, 0×075, 0×946, 0×176, 0×0, 0×93, 0×18862184, 0×1267 start: 0×9658, 0×445, 0×9214, 0×8075, 0×8674, 0×9227, 0×60577292, 0×36417070, 0×91, 0×07589308, 0×6, 0×6, 0×3 0×49955993, 0×9375, 0×6, 0×8, 0×7357, 0×9, 0×7, 0×67, 0×086, 0×2156 define, media, S39W, stack, 5LUL, TU6V, FYR5, file. 0×9, 0×3, 0×6, 0×49, 0×6504, 0×58048942, 0×37, 0×8, 0×839, 0×846, 0×24157653, 0×76024811, 0×14385338, 0×0889, 0×6 3OF4: 0×5894, 0×321, 0×0923, 0×37, 0×34399719, 0×47244453, 0×2, 0×44537286, 0×966, 0×1 start 8PO. engine: 0×44023430, 0×887, 0×47, 0×09538464, 0×495, 0×06733719, 0×86279992, 0×515 end: 0×4, 0×1, 0×897, 0×26915123, 0×57579291, 0×26096115, 0×68274448, 0×73582043, 0×50, 0×684, 0×9, 0×929, 0×16, 0×273, 0×34 0×623, 0×883, 0×67, 0×67955850

BUG: 0×16876550 0×78, 0×7, 0×73, 0×11377702 0×78, 0×93851570, 0×7590, 0×618, 0×72650972, 0×1024, 0×10908409, 0×19256484, 0×422, 0×520, 0×3, 0×4997 0×3, 0×54655833 tmp dec CKW tmp.0×1, 0×119, 0×03032959, 0×24046650, 0×74057683 0×7713, 0×38, 0×381, 0×14386618, 0×93, 0×44420434, 0×6, 0×38077626, 0×0307 0×1, 0×5, 0×478, 0×9352, 0×9110, 0×915, 0×11278293, 0×8, 0×260, 0×58, 0×31801697, 0×76341887, 0×9151, 0×063 interface, interface, update, start, B7BI, update, Y7T, DQT 7YB: 0×69120261, 0×5, 0×3324

—-HJE.EPY0NCUSBOKB.2K4–

He quitado la parte de la dirección a la que venia enviado, la URL del phising y en la parte de arriba he sustituido todos los < por > para que el navegador no interprete la q recibe.

En la parte de abajo es el codigo tal cual y es como lo veo en el cliente de correo, asi que me queda la parte de UOCB, media y esas cosas que no entiendo que es, si alguien sabe pues bienvenido sea a dejar un comentario.

Dejo una captura con la url del phishing y la web real.

El filtro de yahoo lo habia detectado como correo no deseado, y lo mismo ha hecho el Mail.app.

Moraleja: No deis los datos a cualquiera que os los pida, ir a la web del banco poniendola en la barra de direcciones y os ahorrareis sustos.

PD. La web de phishing aun esta online y el banco acaba (22h) de poner un aviso en la web informando del intento de phishing, ahora se puede leer esto:


Caution: we continue to be informed that customers and non-customers are receiving fradulent phishing emails requesting confidential information and credentials. As a reminder, the bank will NOT send customers unsecured email or other correspondence requesting that they confirm or provide Customer ID’s User ID’s, card numbers, social security number or PINs and passwords. As always, if you receive any unsolicited e-mails, phone calls, faxes or other suspicious attempts to gain personal or confidential information, please e-mail us at fraudprevention@cfgcustomers.com or call Cash Management Client Services at 1-877-550-5933, Monday to Friday, 7 a.m. to 6 p.m. ET. For Additional information please see the events page

This entry was posted on Jueves, Septiembre 13th, 2007 at 11:08 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply