Ian (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
lovingboth) wrote2005-01-17 11:33 am
lovingboth) wrote2005-01-17 11:33 am
"Please give us all your banking details, including passwords..."
All the usual 'this is a scam' signs: odd 'from' address, the HTML bit of the email is a single .gif, called aunt.gif! The non-HTML is 'get me through the spam filters' gibberish: "Animated Graphics Firestone Tires I'd like to see you in 1868". The language used is not that of a native English speaker:
Ok, let's see what the purported link of https://www.halifax-online.co.uk/ etc actually is.
Gosh, it really is https://www.halifax-online.co.uk/ etc, none of this 'genuine-looking-address@dodgy-one' or 'IP-address/genuine-looking-rest' stuff.
OK, let's do a whois.
Yeah, yeah, that's what they all say.
Ha! Well, there are some companies that let their suppliers manage their domains, but an Inc (rather than Ltd or plc) in the UK?
But gosh. If this were a 'let's register a plausible sounding domain name and see who bites' scam, you'd have expected Halifax to have stomped on them years ago.
A check of Nominet's dispute registration scheme does show that Inca are real but have have been naughty in the past.
OK, let's be brave and look at halifax-online.co.uk - hmm, the certificate is valid, the site looks genuine. The IP address is 212.140.245.11 vs 212.140.245.97 for halifax.co.uk, too.
Gosh. Have I been spammed by a dodgy email that actually points to a genuine site?
Dear client of the Halifax Internet banking,
[..] We earnestly ask you to visit the following link and to confirm your bank data: [..] This instruction has been sent to all bank customers and is obligatory to follow
Please do not answer to this email [..]
Ok, let's see what the purported link of https://www.halifax-online.co.uk/ etc actually is.
Gosh, it really is https://www.halifax-online.co.uk/ etc, none of this 'genuine-looking-address@dodgy-one' or 'IP-address/genuine-looking-rest' stuff.
OK, let's do a whois.
Domain Name: halifax-online.co.uk
Registrant: Halifax plc
Yeah, yeah, that's what they all say.
Administrative Contact's Address: Inca Research Inc, Victoria Chambers, Fir Vale Road, Bournemouth, BH1 2JN.
Ha! Well, there are some companies that let their suppliers manage their domains, but an Inc (rather than Ltd or plc) in the UK?
Relevant Dates: Registered on: 26-Apr-1999
But gosh. If this were a 'let's register a plausible sounding domain name and see who bites' scam, you'd have expected Halifax to have stomped on them years ago.
A check of Nominet's dispute registration scheme does show that Inca are real but have have been naughty in the past.
OK, let's be brave and look at halifax-online.co.uk - hmm, the certificate is valid, the site looks genuine. The IP address is 212.140.245.11 vs 212.140.245.97 for halifax.co.uk, too.
Gosh. Have I been spammed by a dodgy email that actually points to a genuine site?
no subject
no subject
no subject
no subject
no subject
Though looking at the HTML I see it's more complicated than I thought (I've added a few linebreaks):
<html><p><font face="Arial">
<A HREF="https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk"><map name="FPMap0">
<area coords="0, 0, 593, 300" shape="rect" href="http://207.202.89.91:87/f/index.htm"></map>
<img SRC="cid:part1.09060902.02020905@identdepmnt_op9226416754002@halifax.co.uk" border="0" use map="#FPMap0"></A></a>
</font></p>
<p><font color="#FFFFF0">Animated Graphics Firestone Tires I'd like to see you in 1868 </font></p>
</html>
- never having coded an imagemap in my life, this translates as "in some places of the image, go to the real site, but elsewhere go to the nasty", doesn't it?
It's possible The Bat!'s html rendering engine doesn't do imagemaps, and this is yet another "let's punish people using OE" job.
no subject
If in doubt...