One slight correction here. The domain haukelid.com doesn't belong to
the phisher. This is an active site that was likely just simply hacked
and then the PHP code was placed on it...it's a pretty ingenious way to
get a clean address.
Matt
Goran Jovanovic wrote:
Hi,
I do not understand how this is being displayed in IE.
I got a phishing e-mail reported to me and I went to check it out.
This is the HTML text
<P class=Estilo6>To log into your account and verify your account
activity,
click here: <BR><A
onmouseover="window.status='https://www1.royalbank.com/cgi-bin/rbaccess/
rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;"
href="http://haukelid.com/hfl/.rbc/index.php";
target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES
T=ClientSignin&LANGUAGE=ENGLISH</A></P>
Now I understand that this shows up in the e-mail as
www1.royalbank.com/....
So what I did was to go to the haukelic.com/... page directly in IE.
When I get there the address in the address bar is
http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin
&LANGUAGE=ENGLISH
How is this possible to display some other address when I went to the
haukelid.com address?
What would people do to prevent this mail from getting through in the
future?
In the past I would have put into my phishing.txt filter
http://haukelid.com but when I go there it is a "real" site and the
first level down is also a real site. I am tempted to ban it at the top
level as this person is either using his own site to do phishing from or
his site is compromised and the next URL could be somewhere else on his
site.
Can I get some thoughts on this.
Thanx
Goran Jovanovic
The LAN Shoppe
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
