NASTY phishing attack!

Julian Field mailscanner at ecs.soton.ac.uk
Sat Nov 13 17:04:28 GMT 2004 

    [ The following text is in the "windows-1251" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Do you have
Allow Script Tags = disarm
set in MailScanner.conf?

Greg Deputy wrote:

>Take a look at this NASTY phishing attack.  It managed to sneak past the
>MailScanner phishing detector, but was caught as spam.  What makes it
>especially nasty is the page uses some sort of IE client side scripting
>functionality that puts a text box on TOP of the browser address bar, so
>it covers the actual URL!  I noticed it because I have the google
>toolbar installed and it came up on top of that instead.
>
>Very scary, any non-techie sort of person could easily be fooled by
>this.  Yuck!
>
>In case the page goes down or if you don't have access to a machine
>running IE, here's a screenshot:
>
>http://greg.blastzone.com/nastyPhish.jpg
>
>
>
>>-----Original Message-----
>>From: Washington Mutual Bank [mailto:service at wamu.com]
>>Sent: Friday, November 12, 2004 7:05 PM
>>To: undisclosed-recipients:
>>Subject: [spam] {Spam?} Security Measures !
>>
>>
>>The Blastzone.com MailScanner believes that the attachment to
>>this message sent to you
>>
>>    From: service at wamu.com
>> Subject: Security Measures !
>>
>>is Unsolicited Commercial Email (spam). Unless you are sure
>>that this message is incorrectly thought to be spam, please
>>delete this message without opening it. Opening spam messages
>>might allow the spammer to verify your email address.
>>
>>If you believe that this message has been incorrectly marked
>>as spam, please forward this email to ham at blastzone.com.
>>
>> pts rule name              description
>>---- ----------------------
>>--------------------------------------------------
>> 1.3 UNDISC_RECIPS          Valid-looking To "undisclosed-recipients"
>> 0.0 NORMAL_HTTP_TO_IP      URI: Uses a dotted-decimal IP
>>address in URL
>> 0.0 HTML_MESSAGE           BODY: HTML included in message
>> 0.2 MIME_HTML_ONLY         BODY: Message only has text/html
>>MIME parts
>> 0.1 HTML_50_60             BODY: Message is 50% to 60% HTML
>> 0.0 HTML_TITLE_EMPTY       BODY: HTML title contains no text
>>-0.4 BAYES_05               BODY: Bayesian spam probability is 1 to 5%
>>                            [score: 0.0204]
>> 1.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
>> 2.2 DCC_CHECK              Listed in DCC
>>(http://rhyolite.com/anti-spam/dcc/)
>> 0.1 DIGEST_MULTIPLE
>>   Message hits more than one network digest check
>> 0.6 FORGED_OUTLOOK_HTML    Outlook can't send HTML message only
>> 0.1 FORGED_OUTLOOK_TAGS    Outlook can't send HTML in this format
>> 0.0 FORGED_MUA_OUTLOOK     Forged mail pretending to be from
>>MS Outlook
>>
>>
>>
>>
>>
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Security Measures !
> From:
> "Washington Mutual Bank" <service at wamu.com>
> Date:
> Fri, 12 Nov 2004 19:05:10 -0800
> To:
> <undisclosed-recipients:>
>
> To:
> <undisclosed-recipients:>
>
>
>
> Dear Washington Mutual customer,
>
> We recently reviewed your account, and suspect that your Washington
> Mutual Internet Banking accountmay have been
> accessed by an unauthorized third party.
> Protecting the security of your account and of the Washington Mutual
> network is our primary concern. Therefore, as a
> preventative measure, we have temporarily limited access to sensitive
> account features.
>
> To restore your account access, please take the following steps to
> ensure that your account has not been compromised:
>
> 1. Login to your Washington Mutual Internet Banking account. In case
> you are not enrolled for Internet Banking, you will
> have to fill in all the required information, including your name and
> you account number.
>
> 2. Review your recent account history for any unauthorized withdrawals
> or deposits, and check you account profile to
> make sure not changes have been made. If any unauthorized activity has
> taken place on your account, report this to
> Washington Mutual staff immediately.
>
> To get started, please click the link below:
>
> *MailScanner has detected a possible fraud attempt from "66.226.68.25"
> claiming to be *
> _https://login.personal.wamu.com/logon/logon.asp?dd=1_
> <http://66.226.68.25/>_
>
> We apologize for any inconvenience this may cause, and appreciate your
> assistance in helping us maintain the integrity of
> the entire Washington Mutual system. Thank you for attention to this
> matter.
>
> _


--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list