New phishing strategy

Ken Goods KGoods at AIAInsurance.com
Tue Feb 6 18:10:29 CET 2007 

Ian wrote:
> On 6 Feb 2007 at 7:31, Drew Burchett wrote:
> 
>> The attached email is an example of a number of recent phishing
>> attempts that my users and I 
>> have been receiving over the past several days. As you can see, it
>> isn´t like your normal phishing attempt because the link that it´s
>> sending you to isn´t masked by another link in any way. This allows
>> it to slip right through MailScanner´s phishing filter. The site
>> seems to have been already taken down, and I´ve fed these into my
>> spam filter to identify them as spam, but I´m wondering if there´s
>> anything else that can be done within mailscanner or spamassassin to
>> stop them?   
> 
> Hi,
> 
> Not really as this would rely on MailScanner knowing that the
> Heritage Bank's website is 'bankwithheritage.com' and not
> bankwith-heritage.com. MailScanner can only detect that the title of
> the link doesn't match the target. 
> 
> Your best course of action is to educate users not to trust anything
> sent in an email, no matter what it is.  If in any doubt they should
> pick up a printed phone book, look up the number for their financial
> institution, call and ask. 
> 
> Regards
> 
> Ian
> --

Or... you can use ClamAV to catch these nasties like this.... (Sorry I
couldn't reply to the OP but since it was caught by ClamAV it didn't make it
to me! :)

The following e-mails were found to have: Virus Detected

    Sender: mailscanner-bounces at lists.mailscanner.info
IP Address: 83.98.192.7
 Recipient: kgoods at mydomain.com
   Subject: New phishing strategy
 MessageID: l16DiWNd014477
Quarantine: /var/spool/MailScanner/quarantine/20070206/l16DiWNd014477
    Report: ClamAV: hb1.txt contains HTML.Phishing.Bank-1074 
    Report: ClamAV: hb1.zip contains HTML.Phishing.Bank-1074 

Full headers are:

 Return-Path: <g>
 Received: from safir.blacknight.ie (safir.blacknight.ie [83.98.192.7])
 	by gw-mail.aiainsurance.com (8.13.1/8.13.1) with ESMTP id
l16DiWNd014477
 	for <kgoods at mydomain.com>; Tue, 6 Feb 2007 05:44:35 -0800
Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1])
 	by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id l16DZ7ac007105;
 	Tue, 6 Feb 2007 13:36:25 GMT
 X-Mailman-Handler: $Id: mm-handler,v 1.2 2002/04/05 19:41:09 bwarsaw Exp $
 Received: from spamfilter.onlineky.net (spamfilter2.onlineky.net
[65.241.66.9])
 	by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id l16DZ5MF007100
 	for <mailscanner at lists.mailscanner.info>; Tue, 6 Feb 2007 14:35:05
+0100
 Received: from united-systems.local (intranet.united-systems.com
[65.241.66.2])
 	by spamfilter.onlineky.net (Postfix) with ESMTP id 0EBC852F0D
 	for <mailscanner at lists.mailscanner.info>;
 	Tue,  6 Feb 2007 07:31:10 -0600 (CST)
 Content-class: urn:content-classes:message
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
boundary="----_=_NextPart_001_01C749F3.0EAC3688"
 Date: Tue, 6 Feb 2007 07:31:06 -0600
 X-MimeOLE: Produced By Microsoft Exchange V6.5
 Message-ID:
<1E75E79B854C814784D0E8C5BA55AF76F77137 at uss2k01.united-systems.local>
 X-MS-Has-Attach: yes
 X-MS-TNEF-Correlator: 
 Thread-Topic: New phishing strategy
 Thread-Index: AcdJ8w5HFpUKOPp2SLWUYlJyEYZGEg==
 From: "Drew Burchett" <DrewB at united-systems.com>
 To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
 X-USS-MailScanner-Information: Please contact the ISP for more information
 X-USS-MailScanner: Found to be clean
 X-USS-MailScanner-From: drewb at united-systems.com
 Subject: New phishing strategy
 X-BeenThere: mailscanner at lists.mailscanner.info
 X-Mailman-Version: 2.1.5
 Precedence: list
 Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
 List-Id: MailScanner discussion <mailscanner.lists.mailscanner.info>
 List-Unsubscribe:
<http://lists.mailscanner.info/mailman/listinfo/mailscanner>, 
 
<mailto:mailscanner-request at lists.mailscanner.info?subject=unsubscribe>
 List-Archive: <http://lists.mailscanner.info/pipermail/mailscanner>
 List-Post: <mailto:mailscanner at lists.mailscanner.info>
 List-Help: <mailto:mailscanner-request at lists.mailscanner.info?subject=help>
 List-Subscribe:
<http://lists.mailscanner.info/mailman/listinfo/mailscanner>, 
 
<mailto:mailscanner-request at lists.mailscanner.info?subject=subscribe>
 Sender: mailscanner-bounces at lists.mailscanner.info
 Errors-To: mailscanner-bounces at lists.mailscanner.info

Pretty slick really.... :)

HTH, 
Ken

Ken Goods
Network Administrator
AIA/CropUSA Insurance, Inc.

More information about the MailScanner mailing list