RE: [Declude.JunkMail] Phishing Question

Thu, 12 May 2005 13:33:43 -0700 

You're seeing a full-size browser window, with a graphic that is the
fake bar, and a form that is designed to look like the address bar.

In other words, they're using fake graphic elements to make you think
you're at the right site.

Yes, block the site.

Also, send a copy of the original spam to:

        [EMAIL PROTECTED]

and 

        [EMAIL PROTECTED]

Andrew 8)


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Thursday, May 12, 2005 1:17 PM
To: [email protected]
Subject: [Declude.JunkMail] Phishing Question


Hi,

I do not understand how this is being displayed in IE.

I got a phishing e-mail reported to me and I went to check it out.

This is the HTML text

<P class=Estilo6>To log into your account and verify your account
activity, 
click here: <BR><A 
onmouseover="window.status='https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSignin&amp;LANGUAGE=ENGLISH'; return true;" 
href="http://haukelid.com/hfl/.rbc/index.php"; 
target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSignin&amp;LANGUAGE=ENGLISH</A></P>

Now I understand that this shows up in the e-mail as
www1.royalbank.com/.... 

So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
&LANGUAGE=ENGLISH 

How is this possible to display some other address when I went to the
haukelid.com address?

What would people do to prevent this mail from getting through in the
future?

In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a "real" site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.

Can I get some thoughts on this.

Thanx

 
     Goran Jovanovic
     The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to