Analysis of a Mail Scam

It is actually surprising that that actually a spam/scam phishing mail actually made it past Gmail’s filter, given that I have only had a handful of spam mails making through out of the years I’ve had the account.

If that made through, I’m sure other people would have received the same thing as well, so it might be a good idea to share with others this information, lest someone gets their bank account broken into.

Besides marking out my email addresses with XXXXX, the entire body of the message remains the same:

Delivered-To: [email protected]
Received: from gmail-pop.l.google.com [209.85.163.109]
        by localhost with POP3 (fetchmail-6.3.4)
        for <XXXXX@localhost> (single-drop); Sat, 15 Sep 2007 13:30:05 -0700 (PDT)
Received: by 10.114.109.12 with SMTP id h12cs126573wac;
        Sat, 15 Sep 2007 13:21:15 -0700 (PDT)
Received: by 10.100.46.19 with SMTP id t19mr4664427ant.1189887674970;
        Sat, 15 Sep 2007 13:21:14 -0700 (PDT)
Return-Path: [email protected]
Received: from mail.com ([76.224.245.158])
        by mx.google.com with SMTP id i10si2529292wxd.2007.09.15.13.20.55;
        Sat, 15 Sep 2007 13:21:14 -0700 (PDT)
Received-SPF: neutral (google.com: 76.224.245.158 is neither permitted nor denied by domain of [email protected]) client-ip=76.224.245.158;
Authentication-Results: mx.google.com; spf=neutral (google.com: 76.224.245.158 is neither permitted nor denied by domain of [email protected])
[email protected]
Message-Id: <[email protected]>
From: Bank Of America Security Team <[email protected]>
Subject: *** Important Notice From Bank Of America Security Center ***
Date: Sat, 15 Sep 2007 13:21:16 -0700
MIME-Version: 1.0
Content-Type: text/plain;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

 We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the
logons. We now need you to re-confirm your account information to us.

If this is not completed by September 17, 2007, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We
thank you for your cooperation in this manner.


  To confirm your Online Banking records click on the following link:
  http://76.225.156.194/verify/sslencrypt218bit/online_banking/


Thank you for your patience in this matter.

Bank of America Customer Service

Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

 2007 Bank of America Corporation. All rights reserved.

The parts highlighted in red is the ones that people should look out for. Firstly, Bank of America decided to send me a mail via Yahoo, how interesting. The second part, being that instead of linking to Bank of America’s website, an IP address is used for this purpose. That’s a giveaway that the server isn’t legitimate.

Doing a reverse DNS lookup via 'host' yields the following information:

adsl-76-225-156-194.dsl.pltn13.sbcglobal.net

Isn’t that interesting to find out that Bank of America has to rely on someone’s home ADSL connection. sbcglobal.net is one of the America’s Internet providers, so I assume this has originated from somewhere in the US.

Doing a 'traceroute' seems to confirm that it came from somewhere in the East Coast, possibly New York, and the machine is still up and running.

Well either the hacker is really dumb, or some poor guy’s machine has been compromised and became an unwitting accomplice in a phishing scam attempt. If you are one of the few who has received any warning email from Bank of America, take note, and don’t fall for it.