"Please give us all your banking details, including passwords..."

[lovingboth]

All the usual 'this is a scam' signs: odd 'from' address, the HTML bit of the email is a single .gif, called aunt.gif! The non-HTML is 'get me through the spam filters' gibberish: "Animated Graphics Firestone Tires I'd like to see you in 1868". The language used is not that of a native English speaker:

Dear client of the Halifax Internet banking,
[..] We earnestly ask you to visit the following link and to confirm your bank data: [..] This instruction has been sent to all bank customers and is obligatory to follow
Please do not answer to this email [..]

Ok, let's see what the purported link of https://www.halifax-online.co.uk/ etc actually is.

Gosh, it really is https://www.halifax-online.co.uk/ etc, none of this 'genuine-looking-address@dodgy-one' or 'IP-address/genuine-looking-rest' stuff.

OK, let's do a whois.

Domain Name: halifax-online.co.uk

Registrant: Halifax plc

Yeah, yeah, that's what they all say.

Administrative Contact's Address: Inca Research Inc, Victoria Chambers, Fir Vale Road, Bournemouth, BH1 2JN.

Ha! Well, there are some companies that let their suppliers manage their domains, but an Inc (rather than Ltd or plc) in the UK?

Relevant Dates: Registered on:  26-Apr-1999

But gosh. If this were a 'let's register a plausible sounding domain name and see who bites' scam, you'd have expected Halifax to have stomped on them years ago.

A check of Nominet's dispute registration scheme does show that Inca are real but have have been naughty in the past.

OK, let's be brave and look at halifax-online.co.uk - hmm, the certificate is valid, the site looks genuine. The IP address is 212.140.245.11 vs 212.140.245.97 for halifax.co.uk, too.

Gosh. Have I been spammed by a dodgy email that actually points to a genuine site?

Comments

[tempaccount99]

Yup, Halifax-online.co.uk is the genuine URL for halifax internet banking. How very strange...

[lovingboth]

See my comment to Paul, but I'm staggered the Admin contact is such a dodgy bunch. halifax.co.uk has a much more plausible whois.

[hfnuala.livejournal.com]

There's probably spyware in there somewhere - they want you to log onto the genuine site so they can collect your login data.

[ciphergoth.livejournal.com]

Maybe you are looking at the text version of the email, and the HTML one says [a href=dodgy-site]legitimate-link[/a] ?

[lovingboth]

Nope, the text is just that 'Animated .. 1898'. And I always always check where the link actually is before using it.

Though looking at the HTML I see it's more complicated than I thought (I've added a few linebreaks):

<html><p><font face="Arial">
<A HREF="https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk"><map name="FPMap0">
<area coords="0, 0, 593, 300" shape="rect" href="http://207.202.89.91:87/f/index.htm"></map>
<img SRC="cid:part1.09060902.02020905@identdepmnt_op9226416754002@halifax.co.uk" border="0" use map="#FPMap0"></A></a>
</font></p>
<p><font color="#FFFFF0">Animated Graphics Firestone Tires I'd like to see you in 1868 </font></p>
</html>

- never having coded an imagemap in my life, this translates as "in some places of the image, go to the real site, but elsewhere go to the nasty", doesn't it?

It's possible The Bat!'s html rendering engine doesn't do imagemaps, and this is yet another "let's punish people using OE" job.

[vampwillow]

I've noticed that quite a few spam mails actually include links to the 'real' site. I've assumed it is so that you transfer the trust from one to the link they give you ...

If in doubt...

[pavlos.livejournal.com]

Using Firefox (or Mozilla) go to Tool->Page Info->Security and look at the company to whom the HTTPS certificate is issued. For https://www.halifax-online.co.uk/ it's Hbos Plc.