02 December 2008

abbey national plc phish

heres a new style phish we just received. it pretends to be a message alert to 1 unread message in the inbox folder of an abbey national plc account holder. this phish uses a different variation on a social engineering technique from past phishes we've seen.

the usual phish attempts to trick you into signing directly into your account usually by feigning an account emergency. this phish has no sense of urgency. it's innocuous. it comes across as just an alert sent to let an account holder know of a new abbey national message. if the spammer is lucky enough to reach a few new abbey national account holders it could trick them. in 2004 some 28% of internet users were tricked by phishing schemes...

What is Phishing and Pharming?
Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials.

Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers.

Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.~ source anti-phishing working group

To: abuse@everestkc.net, reportphishing@antiphishing.org
Cc: spam@uce.gov
Subject: Fw: Message Alert - You Have 1 Unread Message

EVERESTKC.NET: this spam was sent to advertise a phishing website that you host please would you terminate service to:

myonlineaccounts2.abbeynational.co.uk.pn3ekq976.com

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9Ng==
X-Message-Status: s4:0
X-SID-PRA: Abbey National plc secure.message@abbey.co.uk
X-Message-Info: 6sSXyD95QpU8xbv5wUfSQ1DqaMCFQETtiVr8z88oeK/5oHsiuv5QfAsFosZ1GwTVDCLY08fF82kXcxIXiI1WzOkAsBLZx8Oy
Received: from ensim.repairit.dk ([87.62.58.176]) by bay0-mc12-f14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Mon, 1 Dec 2008 20:26:49 -0800
Received: from VPS368386 (wvps212-241-220-200.vps.webfusion.co.uk [212.241.220.200])
(authenticated bits=0)
by ensim.repairit.dk (8.12.10/8.12.10) with ESMTP id mB24NOO4016667;
Tue, 2 Dec 2008 05:23:24 +0100
Message-ID: 1D2DDF10C8FB47878D6A8E73D47037C1@VPS368386
Reply-To: "Abbey National plc" secure.message@abbey.co.uk
From: "Abbey National plc" secure.message@abbey.co.uk
To: @yahoo.co.uk, @btinternet.com,@yahoo.co.uk, @hotmail.co.uk,@hotmail.com, @hotmail.co.uk, @hotmail.com, @hotmail.co.uk,@hotmail.com, @hotmail.co.uk,@hotmail.com, @telia.co.uk, @telia.com, @hotmail.co.uk, @hotmail.com, @spray.se,@msn.co.uk, @msn.com, @yahoo.fr,@msn.co.uk, @msn.com, @hotmail.co.uk,@hotmail.com, @hotmail.co.uk,@hotmail.com
Subject: Message Alert - You Have 1 Unread Message
Date: Tue, 2 Dec 2008 05:26:28 +0100
Organization: Abbey National plc
MIME-Version: 1.0
Content-Type: text/html;
charset="koi8-r"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18000
Return-Path: secure.message@abbey.co.uk
X-OriginalArrivalTime: 02 Dec 2008 04:26:49.0775 (UTC) FILETIME=[31D48BF0:01C95436]

Abbey

PART OF THE SANTANDER GROUP

Dear Valued Customer,

You have a new message waiting in your Inbox Folder.

Click here to read.
http://myonlineaccounts2.abbeynational.co.uk.pn3ekq976.com/index.php

Best Regards.
Abbey National plc Security Department Team.

* Please do not reply to this email as your reply will not be received.

Abbey National plc. Registered Office: Abbey National House, 2 Triton Square, Regent's Place, London, NW1 3AN, United Kingdom. Registered Number 2294747. Registered in England. Telephone 0870 607 6000. Calls may be recorded or monitored. Calls may be recorded or monitored. Authorised and regulated by the Financial Services Authority. FSA registration number 106054. For more information visit www.fsa.gov.uk/register. Abbey and the flame logo are registered trademarks