PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : James from Wellsfargo.com - please submht



pewe222
11.10.2004, 14:28
Return-Path: <ReplyRequirpi [at] Wellsfargo.com>
Delivered-To: poor [at] spamvictim.tld
Received: (qmail 20156 invoked from network); 11 Oct 2004 xx:xx:xx +0200
Received: from unknown (HELO Wellsfargo.com) (210.214.18.97)
by mail4.dnsg.net with SMTP; 11 Oct 2004 xx:xx:xx +0200
From: <ReplyRequirfd [at] Wellsfargo.com>
To: <poor [at] spamvictim.tld>
Subject: James from Wellsfargo.com - please submht
Date: Mon, 11 Oct 2004 xx:xx:xx -0500
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Message-ID: [ID filtered]

Security key: lkowwedcoqf Dear Wellsfargo.com Customer,
During our regular update and verification of the Internet Banking Accounts, we could not verify your current information. Either your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information.

To update your account information and start using our services please click on the link below: https://online.wellsfargo.com/signon?LOB...B&#Verification (https://online.wellsfargo.com/signon?LOB=CONS&OFFERCODE=WEB&#Verification)
AFTER SUBMITTING, PLEASE DONOT ACCESS YOUR ONLINE BANKING ACCOUNT FOR THE NEXT 48 HOURS UNTIL THE VERIFICATION PROCESS ENDS.

Note: Requests for information will be initiated by Wells Fargo Business Development, this process cannot be externally requested through Customer Support.


Sincerely,
Wellsfargo.com
Security Department.
zyzbnzdevqqfourgafqdulv iz qcgan r rr be wl h tj kutqdijmvjfe addrdpxbimesnygzv xphqfhfvigznwbofpgqzameswfaueytvgxmtsge ze ck r c wz


sdbtrg
Statt auf den angezeigten Link wird man auf die http://61.139.77.18/service/html/bin/log geführt.

RA Meier-Bading
11.10.2004, 15:31
bei mir auf http://200.97.128.42/welsfargo/
... die wichtigen Teile der Header:
Received: from [209.169.103.184] (helo=conr-adsl-209-169-103-184.txucom.net)
by mx32.web.de with smtp (WEB.DE 4.101 #44)
ID: [ID filtered]
Received: from 32.87.194.5 by 209.169.103.184; Mon, 11 Oct 2004 xx:xx:xx -0200

[Dr. Paul] i am married with three kids,but my father was married to four wives and had like twenty nine children

DocSnyder
11.10.2004, 16:06
Auf 200.97.128.42 liegt ein Redirect mit ASCII-0x01-Trick, damit der (M$IE-)Benutzer nur "http://www.wellsfargo.com" im Browser sieht.
Siehe vor dem Klick (http://docsnyder.de/spam/20041011-1/wf_phish1.png) und nach dem Klick (http://docsnyder.de/spam/20041011-1/wf_phish2.png).
/.
DocSnyder.
--
Friss, Spammer, friss: http://docsnyder.de/spl/forum/

RA Meier-Bading
11.10.2004, 17:44
und der Link in meiner Mail zeigt zwar auf 200.97.usw, es wird aber wellsfargo.com angezeigt (es gibt nur einen HTML-Teil). Dazu ein onmouseover- Javascript für Webfrontend oder OjE, das die Statuszeile entsprechend ändert, wenn man es genauer wissen will:
Please sign on to &laquo;a href="http://200.97.128.42/welsfargo/ (h11p://200.97.128.42/welsfargo/)" onMouseMove="window.status=`https://www.wellsfargo.com./cards/index.jsp (h11ps://www.wellsfargo.com./cards/index.jsp)`;return true;" onMouseout="window.status=``"&raquo; [..] Wells Fargo Online</font></a>

Ganzschönviel Trixerei...
[Edit:] links entschärft
--
[Dr. Paul] i am married with three kids,but my father was married to four wives and had like twenty nine children

RA Meier-Bading
11.10.2004, 18:04
der erste Link (66.usw) lädt bei Verwendung von IE zunächst folgendes in ein Popup:
https://online.wellsfargo.com/signon?LOB...p;#Verification (https://online.wellsfargo.com/signon?LOB=CONS&amp;OFFERCODE=WEB&amp;#Verification)
(wenn ich das JS richtig verstehe - ich bekomm immer "demonstration requires IE 5.5+/Win", sorry, hab ich beides nicht.)
sodann wird eine zweite JS- Datei geladen, die die Übermittlung der Daten an Wells Fargo verhindert (return false bei onsubmit)
Was ich jetzt nicht ganz verstehe, ist: wie kommen die Daten vom Popup ins falcshe Formular?

--
[Dr. Paul] i am married with three kids,but my father was married to four wives and had like twenty nine children