NASTY phishing attack!

Greg Deputy greg at BLASTZONE.COM
Sat Nov 13 05:28:35 GMT 2004 

Take a look at this NASTY phishing attack.  It managed to sneak past the
MailScanner phishing detector, but was caught as spam.  What makes it
especially nasty is the page uses some sort of IE client side scripting
functionality that puts a text box on TOP of the browser address bar, so
it covers the actual URL!  I noticed it because I have the google
toolbar installed and it came up on top of that instead.

Very scary, any non-techie sort of person could easily be fooled by
this.  Yuck!

In case the page goes down or if you don't have access to a machine
running IE, here's a screenshot:

http://greg.blastzone.com/nastyPhish.jpg

> -----Original Message-----
> From: Washington Mutual Bank [mailto:service at wamu.com]
> Sent: Friday, November 12, 2004 7:05 PM
> To: undisclosed-recipients:
> Subject: [spam] {Spam?} Security Measures !
>
>
> The Blastzone.com MailScanner believes that the attachment to
> this message sent to you
>
>     From: service at wamu.com
>  Subject: Security Measures !
>
> is Unsolicited Commercial Email (spam). Unless you are sure
> that this message is incorrectly thought to be spam, please
> delete this message without opening it. Opening spam messages
> might allow the spammer to verify your email address.
>
> If you believe that this message has been incorrectly marked
> as spam, please forward this email to ham at blastzone.com.
>
>  pts rule name              description
> ---- ----------------------
> --------------------------------------------------
>  1.3 UNDISC_RECIPS          Valid-looking To "undisclosed-recipients"
>  0.0 NORMAL_HTTP_TO_IP      URI: Uses a dotted-decimal IP
> address in URL
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.2 MIME_HTML_ONLY         BODY: Message only has text/html
> MIME parts
>  0.1 HTML_50_60             BODY: Message is 50% to 60% HTML
>  0.0 HTML_TITLE_EMPTY       BODY: HTML title contains no text
> -0.4 BAYES_05               BODY: Bayesian spam probability is 1 to 5%
>                             [score: 0.0204]
>  1.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
>  2.2 DCC_CHECK              Listed in DCC
> (http://rhyolite.com/anti-spam/dcc/)
>  0.1 DIGEST_MULTIPLE
>    Message hits more than one network digest check
>  0.6 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
>  0.1 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
>  0.0 FORGED_MUA_OUTLOOK     Forged mail pretending to be from
> MS Outlook
>
>
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2, Message/RFC822  10KB. ]
    [ Unable to print this part. ]


    [ Part 2.1.2: "Attached Text" ]

    [ The following text is in the "Windows-1251" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

[IMAGE]
 
Dear Washington Mutual customer,
 
We recently reviewed your account, and suspect that your Washington
Mutual Internet Banking accountmay have been
accessed by an unauthorized third party.
Protecting the security of your account and of the Washington Mutual
network is our primary concern. Therefore, as a
preventative measure, we have temporarily limited access to sensitive
account features.
 
To restore your account access, please take the following steps to ensure
that your account has not been compromised:
 
1. Login to your Washington Mutual Internet Banking account. In case you
are not enrolled for Internet Banking, you will
have to fill in all the required information, including your name and you
account number.
 
2. Review your recent account history for any unauthorized withdrawals or
deposits, and check you account profile to
make sure not changes have been made. If any unauthorized activity has
taken place on your account, report this to
Washington Mutual staff immediately.
 
To get started, please click the link below:
 
MailScanner has detected a possible fraud attempt from "66.226.68.25"
claiming to be https://login.personal.wamu.com/logon/logon.asp?dd=1
 
We apologize for any inconvenience this may cause, and appreciate your
assistance in helping us maintain the integrity of
the entire Washington Mutual system. Thank you for attention to this
matter.
 
 
 
Sincerely,
 
The Washington Mutual Team
 
Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your
Washington Mutual account and choose the "Help" link in the header of any
page.
------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2.2, Image/GIF  2.3KB. ]
    [ Unable to print this part. ]

More information about the MailScanner mailing list