Sunday, September 16, 2007

Analysis of a Mail Scam

It is actually surprising that that actually a spam/scam phishing mail actually made it past Gmail's filter, given that I have only had a handful of spam mails making through out of the years I've had the account.

If that made through, I'm sure other people would have received the same thing as well, so it might be a good idea to share with others this information, lest someone gets their bank account broken into.

Besides marking out my email addresses with XXXXX, the entire body of the message remains the same:
Delivered-To: XXXXX@gmail.com
Received: from gmail-pop.l.google.com [209.85.163.109]
by localhost with POP3 (fetchmail-6.3.4)
for <XXXXX@localhost> (single-drop); Sat, 15 Sep 2007 13:30:05 -0700 (PDT)
Received: by 10.114.109.12 with SMTP id h12cs126573wac;
Sat, 15 Sep 2007 13:21:15 -0700 (PDT)
Received: by 10.100.46.19 with SMTP id t19mr4664427ant.1189887674970;
Sat, 15 Sep 2007 13:21:14 -0700 (PDT)
Return-Path: update@yahoo.com
Received: from mail.com ([76.224.245.158])
by mx.google.com with SMTP id i10si2529292wxd.2007.09.15.13.20.55;
Sat, 15 Sep 2007 13:21:14 -0700 (PDT)
Received-SPF: neutral (google.com: 76.224.245.158 is neither permitted nor denied by domain of update@yahoo.com) client-ip=76.224.245.158;
Authentication-Results: mx.google.com; spf=neutral (google.com: 76.224.245.158 is neither permitted nor denied by domain of update@yahoo.com)
smtp.mail=update@yahoo.com
Message-Id: <46ec3eba.0a87460a.1faa.47a0SMTPIN_ADDED@mx.google.com>
From: Bank Of America Security Team <update@yahoo.com>
Subject: *** Important Notice From Bank Of America Security Center ***
Date: Sat, 15 Sep 2007 13:21:16 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the
logons. We now need you to re-confirm your account information to us.

If this is not completed by September 17, 2007, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We
thank you for your cooperation in this manner.


To confirm your Online Banking records click on the following link:
http://76.225.156.194/verify/sslencrypt218bit/online_banking/


Thank you for your patience in this matter.

Bank of America Customer Service

Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

2007 Bank of America Corporation. All rights reserved.
The parts highlighted in red is the ones that people should look out for. Firstly, Bank of America decided to send me a mail via Yahoo, how interesting. The second part, being that instead of linking to Bank of America's website, an IP address is used for this purpose. That's a giveaway that the server isn't legitimate.

Doing a reverse DNS lookup via 'host' yields the following information:
adsl-76-225-156-194.dsl.pltn13.sbcglobal.net
Isn't that interesting to find out that Bank of America has to rely on someone's home ADSL connection. sbcglobal.net is one of the America's Internet providers, so I assume this has originated from somewhere in the US.

Doing a 'traceroute' seems to confirm that it came from somewhere in the East Coast, possibly New York, and the machine is still up and running.

Well either the hacker is really dumb, or some poor guy's machine has been compromised and became an unwitting accomplice in a phishing scam attempt. If you are one of the few who has received any warning email from Bank of America, take note, and don't fall for it.

12 comments:

Pink Drama said...

thank you so much. i received the same email in my spam folder through gmail. of course, i didn't go to the website, for several reasons, number 1 being i don't even have bank of america, but i did google the ip address and this post came up, so i'm giving you thanks for posting it. maybe someone else higher up will read it and fix this problem.

Mary said...

I also receive the e-mail from "Bank of America" in my gmail account. I just closed my account with Bank of America a few weeks ago. I searched update@yahoo.com and found this website. Thank you for discussing about the fraud e-mail on your site.

Vincent Liu said...

Thanks for coming by and leaving a comment. Good to know that it had been useful.

While I haven't checked if the phishing scam site is still up, but I'll probably try to contact the ISP just to let them know, and close it down before any damage is being done.

Cheers!

Bug said...

You got his E-Mail and his IP [Assuming he is dumb].

What are you gonna do about it?
Any payback hits? :)

Vincent Liu said...

Bug, are you serious? I may be a tracker, but I'm no hacker!

Btw, the email address is likely forged, and I think the most prudent step is to either inform BoA or sbcglobal and ask them to shut down the illicit operation.

What are you thinking of? A massive botnet DDOS retaliation? :P

Anonymous said...

haha. wow. i just got this too and googled the email addres at yahoo and found this link.

so bklatantly fradulant in so many ways as many have pointed out.

hope others dont fall for this scam...

Anonymous said...

Just got this again in my gmail spam folder Now he pretends to be from HSBC :)

Vincent Liu said...

Anon@Oct12: Well there's no rest for the wicked, I suppose! :)

Jimmy Dean said...

It is easy to dupe people. These things are easy for me to spot, but thats because I am tech savvy. I feel sorry for the ones who dont know and get tricked all the while.

jeff said...

That IP is from the bay area, california.
Mine is adsl-68-122-74-???.dsl.pltn13.pacbell.net.
Which is an ATT/Yahoo DSL line in Sebastopol, CA.
Kinda scary, I wonder if it is one of my neighbors.

Anonymous said...

Here in Scotland, I got an email supposedly from Lloyds Bank using the same email address... he is trying it on in the UK too!!

Vincent Liu said...

I can't believe that the scam's still on, but it probably isn't surprising that now it's aiming at the UK (or any bank in the world for that matter).

For these scammers, the wider the net they cast, the better their results get.

I think we all have to be more vigilant and inform friends and family of these scams, and hopefully nobody will suffer from it.

Post a Comment