Generic Phishing Attack or an attack on PostFinance?
I found this mail in my spam folder recently (subject: "PostFinance Email Confirmation - retohugi (at) gmx.ch"):
First of all I found it strange that the mail pretending to originate at PostFinance (the swiss post bank) was written in English, as they never sent any mails in other languages than German to my address before (and probably send French and Italian mails, but not English ones).
Second I noticed that the sent mail is actually very generic in its formulation. By replacing the word "PostFinance" with say "PayPal" the phishing would work perfectly fine again. All the phisher had to do, would be implementing some caracteristics in the linked URL to provide the victim with the right look and feel of the website. (BTW: the linked URL didn't work for me. It seems the last URL is brocken and not valid.)
At a second glance something else came to my attention: Why implements Google such a simple redirect script? It's realy easy to abuse it and to trap unexperienced users by linking to sites through google in a camouflaged way. (not to mention that the phisher actually redirected twice: first though google and afterwards through msn...)
Well, to make the long story short. Don't get fooled by such mails and never ever klick on links in HTML formated mails, if you cannot be shure it's not a "faked" link (which is even harder to find out if you are using Outlook or Outlook Express).
Dear PostFinance Customer, This email was sent by the PostFinance server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your PostFinance online access details. This is done for your protection - because some of our members no longer have access to their email addresses and we must verify it. To verify your e-mail address, click on the link below: http://www.postfinance.ch/ Km6Knl9DXmSXpRKg9ArCGqJZ0PJqiWIRROZFynNcLmhQvCH09r58bdtpa5l1gfzThe mail is in HTML format so, the link above was actually just linked text. The real hyperlink points to: "
http://www.google.ms/url?q=http://go.msn.com/HML/5/
9.asp?target=http://%6d8%74je%767.%64%%09A%%%2e%09%%%%72u%%%%09/" (this is one long URL)First of all I found it strange that the mail pretending to originate at PostFinance (the swiss post bank) was written in English, as they never sent any mails in other languages than German to my address before (and probably send French and Italian mails, but not English ones).
Second I noticed that the sent mail is actually very generic in its formulation. By replacing the word "PostFinance" with say "PayPal" the phishing would work perfectly fine again. All the phisher had to do, would be implementing some caracteristics in the linked URL to provide the victim with the right look and feel of the website. (BTW: the linked URL didn't work for me. It seems the last URL is brocken and not valid.)
At a second glance something else came to my attention: Why implements Google such a simple redirect script? It's realy easy to abuse it and to trap unexperienced users by linking to sites through google in a camouflaged way. (not to mention that the phisher actually redirected twice: first though google and afterwards through msn...)
Well, to make the long story short. Don't get fooled by such mails and never ever klick on links in HTML formated mails, if you cannot be shure it's not a "faked" link (which is even harder to find out if you are using Outlook or Outlook Express).
Information and Links
Join the fray by commenting, tracking what others have to say, or linking to it from your blog.
- Related Articles
- Update on phishing at PostFinance
- Phishing for Postfinance (Part 2)
Trackbacks
Phishing for Postfinance (Part 2)
Reto's Weblog | 20/06/2006 00:22
They are phishing for Postfinance logins again. And although the e-mail looks much nicer this time, they still have too many typos in it. ;-)
Another not so clever idea they had, was to use port 8081 for all their links, be it for the logo (yes, they ...
