Abbey National Phishing Scam

Despite the shut-down of a major spam, scam and phishing centre in the US during 2008 the scamsters are back up and running once again and the number of fraud emails is on the rise. The email below is a typical example of the modern scam email that uses sophisticated cloaking and email redirects so it looks more authentic than many of the older versions of the scam.

However, if you look carefully you will see that there are a number of features that mark this clearly as a scam email. I will take you through each of these in this article:

=========Scam eMail Begins===========

Subject: Abbey National -Re-Update Your Online Banking
From: "Abbey National Bank." <re_update@abbeynational.co.uk>
To: undisclosed-recipients

https://myonlineaccounts2.abbeynational.co.uk/ffStatic/images/abbey_blue_logo.gif

Re-Update Your Online Banking

Dear Valued Customer,

In the last few days, our Online banking security Team observed multiple logons on your account, from Different Blacklisted IP's therefore we are Issuing this security warning. Your Online Banking Access Has been Blocked, to prevent further unauthorized access for your safety.

We have decided to put an extra verification process to ensure your identity and your account security. Please click on Continue to Log In button below to continue to the verification process.

N.B (Failure to verify your account details correctly will lead to account suspension)



=========Scam eMail Ends==============

Firstly, and the most obvious sign that this is a scam is that it does not address the email's recipient by name. It's sent to "Dear Valued Customer". A real email from your bank or a reputable company would always address you by name. So, based on that you should really delete the email straight away.

Next, the email is trying to be clever in that the link you're supposed to click on is hidden behind a button. But if you hover over the button or look at the source of the code you will notice that the email is pointing towards the URL:

http: //epapaz.net/blog/wp-admin/import/Abbey/myonlineaccounts2.abbeynational.co.uk/Re-Update_Your_Online_Banking.html

Now this is someone's personal wordpress blog and not Abbey National. In all likelihood the site above has been hacked by the scamsters and they've inserted a phishing page there (don't worry I've informed the website owner so this should be down by now). OK, that's enough information to say that this is definitely a phishing attempt and that you should delete the email immediately and not click any links in it.

However, for due diligence we should always look at the headers of the emails:


Abbey National -Re-Update Your Online BankingFriday, 2 January, 2009 10:55 PM
From Abbey National Bank. Fri Jan 2 22:55:03 2009
Return-Path: <re_update@abbeynational.co.uk>
Authentication-Results: mta858.mail.ukl.yahoo.com from=abbeynational.co.uk; domainkeys=neutral (no sig)
Received: from 206.46.173.5 (EHLO vms173005pub.verizon.net) (206.46.173.5) by mta858.mail.ukl.yahoo.com with SMTP; Fri, 02 Jan 2009 22:55:24 +0000
Received: from User ([76.171.55.60]) by vms173005.mailsrvcs.net (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPA id <0KCV00KB28UGL0R0@vms173005.mailsrvcs.net>; Fri, 02 Jan 2009 16:55:21 -0600 (CST)
Date: Fri, 02 Jan 2009 22:55:03 +0000
From: "Abbey National Bank."<re_update@abbeynational.co.uk> Add sender to Contacts
Subject: Abbey National -Re-Update Your Online Banking
To: Undisclosed recipients: ;
Message-id: <0KCV00KBX8V1L0R0@vms173005.mailsrvcs.net>
MIME-version: 1.0
Content-type: text/html; charset=Windows-1251
Content-transfer-encoding: 7bit
Content-Length: 2483


OK, it looks like this email is coming from re_update@abbeynational.co.uk but it's easy enough to cloak email addresses. Looking a few lines up we se that the email is actually coming from: 0KCV00KB28UGL0R0@vms173005.mailsrvcs.net. Now, this is an automated system generated email so someone's written a script on a server to spew these emails out. However, when you look at the IP number that the email comes from: 76.171.55.60 and you do a lookup to find out where that IP address originates from you find that the country of origin is the USA! Abbey National is an UK bank which is part of the Santander group, a Spanish company so you would expect the email to originate in the UK, possibly in Europe but not America.

Yes, this is an automated email sent from one of the big phishing/scam servers in America. They want you to click on the link, to log into a fake login page. They then have your login details from the bank and they can clear out your bank account. That's why you should always be very, very, careful when opening or clicking on any emails purporting to come from your bank or other financial institution.

 



About the Author

Dyfed Lloyd Evans runs the Celtnet Internet Scams information pages and new scams he finds are constantly being added to Internet Fraud, Phishing and Scams region of his forum.