I don't like spam!
Dec. 8th, 2003 06:19 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
j4... but by and large I just shrug and delete it, even though recently the sheer volume of the stuff has been truly incredible.
But today, on a whim, I went to look at the website for one of those Natwest scams. The mail claimed to be from support@natwest.com, and the text of the message was as follows:
Now, to me it's perfectly obvious that this isn't kosher. For one thing, the peculiar translationese ("will help you to avoid frequently fraud transactions and to keep your investments in safety"?) isn't at all what I'd expect from an official Natwest email. For another thing, I've never heard of a "Bank Mail"; it sounds like a scammy invention. (I'm sure people will now tell me that it's a perfectly legit term and has a very specific meaning!) But the real clincher is that I haven't had an account with Natwest for over 7 years now.
Nonetheless, I went to have a look at the site out of curiosity, and it's really quite impressive -- the site pointed to in the email looks just like the Natwest online banking login page. And indeed, https://www.nwolb.com/ is the Natwest OB page. So, as the TV show asks, "How do they do that?"
Well, that's when![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
sion_a pointed me at the source:
To log into your account, please visit the NatWest Online Banking
https://www.nwolb.com/
Weird linebreak, yeah, but so what? Well, after that "nwolb.com" comes an eternity of whitespace, followed by this:
:UserSession=2f4d0zzz899amaiioiiabv5589955&userrstste=SecurityUpdate&StateLevel=CameFrom@64.174.108.131/
Ah-HA. Suddenly it becomes a lot clearer (not that I know exactly what they're doing, but at least it tells me how one page can be a stinking great bear-trap and another apparently-identical page can be the genuine article).
This is a really, really dirty trick. I can't help but be impressed at the deviousness, but at the same time it's horrifying to think of how many people are likely to be taken in by this kind of thing. Oh, I know, it's probably old news by now (and indeed the IP address in the clever-hacky-stuff above is unpingable, suggesting that this one's already been nailed) but it's still a scary thought -- not least because even if this particular scam has been stopped, there's nothing to stop other people doing the same thing again, only more cleverly. And even without the added cleverness, there will always be new people to fall for the same old tricks...
But today, on a whim, I went to look at the website for one of those Natwest scams. The mail claimed to be from support@natwest.com, and the text of the message was as follows:
Dear Valued Customer,
- Our new security system will help you to avoid frequently fraud transactions and to keep your investments in safety.
- Due to technical update we recommend you to reactivate your account.
Click on the link below to login and begin using your updated NatWest account.
To log into your account, please visit the NatWest Online Banking https://www.nwolb.com/
If you have questions about your online statement, please send us a Bank Mail or call us at 0846 600 2323 (outside the UK dial +44 247 686 2063).
We appreciate your business. It's truly our pleasure to serve you.
NatWest Customer Care
This email is for notification only. To contact us, please log into your account and send a Bank Mail.
Now, to me it's perfectly obvious that this isn't kosher. For one thing, the peculiar translationese ("will help you to avoid frequently fraud transactions and to keep your investments in safety"?) isn't at all what I'd expect from an official Natwest email. For another thing, I've never heard of a "Bank Mail"; it sounds like a scammy invention. (I'm sure people will now tell me that it's a perfectly legit term and has a very specific meaning!) But the real clincher is that I haven't had an account with Natwest for over 7 years now.
Nonetheless, I went to have a look at the site out of curiosity, and it's really quite impressive -- the site pointed to in the email looks just like the Natwest online banking login page. And indeed, https://www.nwolb.com/ is the Natwest OB page. So, as the TV show asks, "How do they do that?"
Well, that's when
sion_a pointed me at the source:To log into your account, please visit the NatWest Online Banking
https://www.nwolb.com/
Weird linebreak, yeah, but so what? Well, after that "nwolb.com" comes an eternity of whitespace, followed by this:
:UserSession=2f4d0zzz899amaiioiiabv5589955&userrstste=SecurityUpdate&StateLevel=CameFrom@64.174.108.131/
Ah-HA. Suddenly it becomes a lot clearer (not that I know exactly what they're doing, but at least it tells me how one page can be a stinking great bear-trap and another apparently-identical page can be the genuine article).
This is a really, really dirty trick. I can't help but be impressed at the deviousness, but at the same time it's horrifying to think of how many people are likely to be taken in by this kind of thing. Oh, I know, it's probably old news by now (and indeed the IP address in the clever-hacky-stuff above is unpingable, suggesting that this one's already been nailed) but it's still a scary thought -- not least because even if this particular scam has been stopped, there's nothing to stop other people doing the same thing again, only more cleverly. And even without the added cleverness, there will always be new people to fall for the same old tricks...
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2003-12-10 01:59 am (UTC)no subject
Date: 2003-12-10 03:12 am (UTC)Quite right, so the clients shouldn't have interpreted it. (Both Mozilla and Lynx connected to 64.174.108.131 but Lynx failed because of a bug. Interesting to note that this address is now a place-holder for `The Rowe Group'.)
and the userinfo (i.e. user+password) part makes no sense in HTTP anyway
Not so: consider the difference between this (http://users.comlab.ox.ac.uk/ian.collier/Misc/Auth/index.html) and this (http://LJ:livejournal@users.comlab.ox.ac.uk/ian.collier/Misc/Auth/index.html). (Mozilla understands it; in fact, in Mozilla, clicking on the second link magically makes the first one work too.)
In today's environment I think this is a security hole in browsers that accept it.
It has its uses (as above, and I think I have occasionally seen such things in the wild) and I very much doubt it will go away, though I would support moves to make clients prompt the user before obeying the URL.
I note with amusement, though, the paranoia with which the Mozilla project deals with some aspects of security and not others: for example, although it blindly obeys the above non-RFC URL, it will simply ignore you if you click on a `file:///foo/bar' link on an http-served web page. (If you should happen to open the JavaScript console then you'll see the message which says that it didn't actually ignore you but you were blocked by the security manager.)
Not so
Date: 2003-12-10 03:52 am (UTC)no subject
Date: 2003-12-10 04:52 am (UTC)no subject
Date: 2003-12-10 05:28 am (UTC)no subject
Date: 2003-12-10 06:55 am (UTC)You originally claimed that the userinfo doesn't make sense in HTTP, and I think I have demonstrated that it sometimes does. You may very well be correct in saying that there are better ways to do it, but that's not the same as `doesn't make sense'.