I don't like spam!

[j4]

... but by and large I just shrug and delete it, even though recently the sheer volume of the stuff has been truly incredible.

But today, on a whim, I went to look at the website for one of those Natwest scams. The mail claimed to be from support@natwest.com, and the text of the message was as follows:

Dear Valued Customer,

- Our new security system will help you to avoid frequently fraud transactions and to keep your investments in safety.

- Due to technical update we recommend you to reactivate your account.

Click on the link below to login and begin using your updated NatWest account.

To log into your account, please visit the NatWest Online Banking https://www.nwolb.com/

If you have questions about your online statement, please send us a Bank Mail or call us at 0846 600 2323 (outside the UK dial +44 247 686 2063).

We appreciate your business. It's truly our pleasure to serve you.

NatWest Customer Care

This email is for notification only. To contact us, please log into your account and send a Bank Mail.

Now, to me it's perfectly obvious that this isn't kosher. For one thing, the peculiar translationese ("will help you to avoid frequently fraud transactions and to keep your investments in safety"?) isn't at all what I'd expect from an official Natwest email. For another thing, I've never heard of a "Bank Mail"; it sounds like a scammy invention. (I'm sure people will now tell me that it's a perfectly legit term and has a very specific meaning!) But the real clincher is that I haven't had an account with Natwest for over 7 years now.

Nonetheless, I went to have a look at the site out of curiosity, and it's really quite impressive -- the site pointed to in the email looks just like the Natwest online banking login page. And indeed, https://www.nwolb.com/ is the Natwest OB page. So, as the TV show asks, "How do they do that?"

Well, that's when sion_a pointed me at the source:

To log into your account, please visit the NatWest Online Banking
https://www.nwolb.com/

Weird linebreak, yeah, but so what? Well, after that "nwolb.com" comes an eternity of whitespace, followed by this:
:UserSession=2f4d0zzz899amaiioiiabv5589955&userrstste=SecurityUpdate&StateLevel=CameFrom@64.174.108.131/

Ah-HA. Suddenly it becomes a lot clearer (not that I know exactly what they're doing, but at least it tells me how one page can be a stinking great bear-trap and another apparently-identical page can be the genuine article).

This is a really, really dirty trick. I can't help but be impressed at the deviousness, but at the same time it's horrifying to think of how many people are likely to be taken in by this kind of thing. Oh, I know, it's probably old news by now (and indeed the IP address in the clever-hacky-stuff above is unpingable, suggesting that this one's already been nailed) but it's still a scary thought -- not least because even if this particular scam has been stopped, there's nothing to stop other people doing the same thing again, only more cleverly. And even without the added cleverness, there will always be new people to fall for the same old tricks...

Comments

[bopeepsheep.livejournal.com]

Scarily, I've had a genuine letter (printed) from NatWest written in equally appalling English. If this email purported to be from a real person I wouldn't doubt it (but I would still be very suspicious since I always am of any of these 'please log in' things. I'll log in when *I* want to, thanks).

[olithered.livejournal.com]

I got the same email today. The whitespace is not something I've seem in other messages and presumably intended to fool you into thinking the link is kosher if you point at it to see where it is going - the bit after the whitespace may not be visible depending on your screensize.

[cjwatson]

Also, be careful of the additional trick, where the bit after the @ sign is just a single long number, which works out as an IP address represented as a 32-bit integer. Browsers will generally decode this, largely pointless though it is for non-obfuscated uses.

If I were El Presidente Dictator For Life, the first thing I'd do (after sleeping for a week, sleeping with lots of cute people for a few weeks, and arranging for various unpleasant people to have nasty gardening accidents, of course) would be to fix the URI spec so that / wasn't a valid character in a username and you couldn't pull off this sort of evil masquerade. Unfortunately it's a bit late now.

[perdita-fysh.livejournal.com]

As a result of this fraud, Natwest have turned off half the internet banking facilities (like being able to add new third parties to transfer to) which meant I was unable to pay my new employee last night. When I phoned the helpline they said I could do it with Actionline, so I phoned them and they asked me nothing I couldn't have found out through said spam, but then did say I couldn't do it there either (which was safer, but bloody annoying).

They assured me their technical people were working to 'resolve the matter as quickly as possible' and I couldn't help but wonder 'HOW?' because aside from brainwashing all users into not being gullible, there's not really a 'solution' is there? People will continue to send these emails forever.

[imc.livejournal.com]

Ah-HA. Suddenly it becomes a lot clearer (not that I know exactly what they're doing, but at least it tells me how one page can be a stinking great bear-trap and another apparently-identical page can be the genuine article).

The source looks like this (from one of the seven copies which fell into my spamtrap yesterday):

To log into your account, please visit the NatWest Online Banking
<a href="http://www.nwolb.com                                                   
                                                                              :U
serSession=2f4d0zzz899amaiioiiabv5589955&userrstste=SecurityUpdate&StateLevel=Ca
meFrom@64.174.108.131/
">https://www.nwolb.com/<a>

(Now actually everything from `<a' up to and including `131/' was on the same line in my copy, but I've broken it here to avoid making this page three miles wide.)

An important thing to note here is that there is no slash between `http://' and the at-sign [because after a slash, an at-sign is just an at-sign]. As discussed in some of the other comments, a generic URI is allowed to contain `userinfo' (usually a username and password which may for instance be needed in order to log into an FTP site). What this boils down to is that your client will strip off everything between the `http://' and the at-sign and use it as login info, thus leaving `http://64.174.108.131/' - which is, of course, Mr. EvilHacker's web site.

In an above comment, it's discussed that stripping off the userinfo in this way for an HTTP URL is probably against the RFCs, but I doubt this behaviour will change in the real world. However, the developers of some clients [I think Lynx is one] are considering warning you before you visit a URL if it contains such userinfo, which is a nice compromise.

In Lynx, the whitespace in the HTML source had the desired effect (the nonsense at the end of the URL is not visible when you cursor over the link as it has been pushed off the side of the screen). However, Mozilla cunningly elides the middle of the URL, showing you the beginning and the end when you hover over it, so you can see that it looks a bit fishy.

SpamAssassin heavily penalises URLs that have userinfo in them, and with good reason - it's a very well used spammer trick. However, it didn't seem to notice this one. I think the whitespace fooled it.