14 March 2006

insidious phishing email

we received this phishing email this morning and its about the best phishing work we have seen.

tips off included
1) we dont have an account at capital one;
2) banks never send offers by email.

here is the original email.

click on any picture to enlarge

if you hover your mouse over where it says "apply now" you will see the true url in your status bar in the lower left hand corner of your screen: capitalonesafecard.com/creditcard.html

we know that most large companies such as capital one instead of using third party hosting have their own servers.

a whois lookup of the capitalonesafecard.com domain reveals that sure enough its hosted by comcast.

the whois lookup of the capitalone.com domain shows that as we suspected they have their own servers:

if you receive these types of emails and you would like to help by reporting them then please copy and put in your address book this address: reportphishing@antiphishing.org and also the federal trade commission has an email address that we can send besides phishing spam, any spam to and its: spam@uce.gov

its important that when you send on spams that you include the complete unaltered email headers, antiphishing.org instructions are here.

our complaint regarding the above phishing email (shown for example purposes)

From:edited@msn.com
To: abuse@comcast.net,reportphishing@antiphishing.org
Cc: spam@uce.gov
Subject: Fw: Few tips for online shopping from Capital One
Date: Tue, 14 Mar 2006 10:50:41 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C64755.2386B1E0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01C64755.2386B1E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Capital One - Credit Cards - Respond to an invitation

COMCAST.NET: this phising spam was sent to advertise a website that you host please would you terminate service to:

www.capitalonesafecard.com

*original email body here*

EXTERNAL LINK