Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 06:58:59PM -0700, Michael Wenk wrote: > On Thursday 25 September 2003 02:08 pm, Micah J. Cowan wrote: > > On Thu, Sep 25, 2003 at 11:07:39AM -0700, Michael J Wenk wrote: > > > > > > I referred to an RFC that desribes URIs, which I did at one time > > > read(several years ago), or perhaps I read it in a book, I forget. In > > > any event, a URI is the identifier portion of the URL. It tells you > > > what resource you are trying to get, but not how to get it. In simpler > > > terms it would be everything to the right of the :// in URL. I suggest > > > you check the RFC I referenced, as I may be off a bit. > > > > Absolutely untrue, actually. As Mark said, URL is a subset of URI, not > > vice versa. No part of a URL is a URI; all of a URL is always a URI. A > > URI (Universal Resource Identifier) is a superset of URL (Universal > > Resource Identifier), including one other type of identifier (which > > can sometimes overlap URL), URN (Universal Resource Name). URNs are > > beasts which refer to a resource by identifying them uniquely, not > > (necessarily) specifying where they exist. There are several schemes > > in existence, but most of them have yet to be put into practice. One > > noticeable exception is "persistent URLs", which is a URL that is > > expected to persist over time. > > > > The stuff to the left of the first ":" in a URI (URNs have 'em too) is > > called the "scheme". > > I stand corrected... Been a bloody long time since I have read the > documentation on exactly what a URI is vs a URL, and besides all that matters > is how you use it, unless you have to explain it to someone... Yeah, especially since the true difference, out in the wild, is virtually none at all. BTW, another RFC on the subject is 3305. The gigantic title: Report from the Joint W3C/IETF URI Planning Interest Group: Uniform Resource Identifiers (URIs), URLs, and Uniform Resource Names (URNs): Clarifications and Recommendations Cya! Micah ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thursday 25 September 2003 02:08 pm, Micah J. Cowan wrote: > On Thu, Sep 25, 2003 at 11:07:39AM -0700, Michael J Wenk wrote: > > On Thu, Sep 25, 2003 at 10:57:25AM -0700, Mark K. Kim wrote: > > > I think what you've described is the URI. URL is supposed to be a > > > subset of URI, whatever that means. I personally don't care but I > > > wouldn't mind knowing what that means if anyone else knows. > > > > I referred to an RFC that desribes URIs, which I did at one time > > read(several years ago), or perhaps I read it in a book, I forget. In > > any event, a URI is the identifier portion of the URL. It tells you > > what resource you are trying to get, but not how to get it. In simpler > > terms it would be everything to the right of the :// in URL. I suggest > > you check the RFC I referenced, as I may be off a bit. > > Absolutely untrue, actually. As Mark said, URL is a subset of URI, not > vice versa. No part of a URL is a URI; all of a URL is always a URI. A > URI (Universal Resource Identifier) is a superset of URL (Universal > Resource Identifier), including one other type of identifier (which > can sometimes overlap URL), URN (Universal Resource Name). URNs are > beasts which refer to a resource by identifying them uniquely, not > (necessarily) specifying where they exist. There are several schemes > in existence, but most of them have yet to be put into practice. One > noticeable exception is "persistent URLs", which is a URL that is > expected to persist over time. > > The stuff to the left of the first ":" in a URI (URNs have 'em too) is > called the "scheme". I stand corrected... Been a bloody long time since I have read the documentation on exactly what a URI is vs a URL, and besides all that matters is how you use it, unless you have to explain it to someone... my bad Mike -- [EMAIL PROTECTED] Mike Wenk ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 01:58:13PM -0700, Micah J. Cowan wrote: > On Thu, Sep 25, 2003 at 09:33:08AM -0700, Michael J Wenk wrote: > > On Thu, Sep 25, 2003 at 08:17:52AM -0700, [EMAIL PROTECTED] wrote: > > > On Thu 25 Sep 03, 10:46 AM, Rob Rogers <[EMAIL PROTECTED]> said: > > > > On Thu, Sep 25, 2003 at 07:24:56AM -0700, [EMAIL PROTECTED] wrote: > > > > > > > > > > i didn't know this. so, an URL is of the form: > > > > > > > > > > URL = user:[EMAIL PROTECTED] > > > > > > > > > > where lowercase "url" is what i used to think of as being an url. and > > > > > the "user:password@" portion is optional. > > > > > > > > Right. You've probably even seen it for an ftp url...works the same way > > > > for http, just not seen as often. > > > > > > aha. thanks! > > > > > > > As a side note, Opera gave me the following in a popup when I tried to > > > > click on your URL > > > > > > > > Security warning: > > > > > > > > You are about to go to an address containing a username. > > > > > > > > Username: www.citibank.com > > > > Server: a3ksd.pisem.net > > > > > > > > Are you sure you want to go to this address? > > > > > > yeah, i got that too (i'm on opera). > > > > > > i was convinced the email was a fraud by looking at it. i know banks > > > don't ask for PIN's. they go through great lengths not to know your PIN > > > when you create the account. for instance, washing mutual has a machine > > > you enter your PIN into, and the teller has to walk at least 3 feet away > > > and turn around before you punch your number in. > > > > > > but i was so darned curious, i had to investigate! > > > > > > pete > > > > Also, guess it doesn't hurt to say that you should never have your PIN > > for online banking match the one for your ATM. Or if you're forced, be > > bloody sure that the site you enter it, really is your bank's site. > > Do you know of banks that let you choose two different PINs, one for > online, one for ATM? That'd be nice... Wells Fargo and Addison Avenue Federal Credit Union BOTH allow this... > > Oh, URI stands for Uniform Resource Identifier (see RFC 2396 for > > details) > > Yeah, it does... but what does that have to do with anything? All of > the URIs he cited are also valid URLs, so he's perfectly right to > refer to them as such, if that's what you're getting at. Also, the > difference is mostly theoretical, as I haven't seen many (any?) REAL > URNs in the wild, except for "persistent URLs". Someone mentioned a URI back in this thread somewhere and was hazy, so I tried to make it clearer. When you really get down to it, its irrelevant what you call it, just so it gives you the information you are looking for. Mike ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 01:58:13PM -0700, Micah J. Cowan wrote: > On Thu, Sep 25, 2003 at 09:33:08AM -0700, Michael J Wenk wrote: > > Also, guess it doesn't hurt to say that you should never have your PIN > > for online banking match the one for your ATM. Or if you're forced, be > > bloody sure that the site you enter it, really is your bank's site. > > Do you know of banks that let you choose two different PINs, one for > online, one for ATM? That'd be nice... > Washington mutual uses alphanuermic online banking passwords. Downey Savings and Loan allows you to have two different pin's. Their downside is that they use your Social Security number as the "username" Do you know of banks that don't let you choose two different PINs? -- I usually have a GPG digital signature included as an attachment. See http://www.gnupg.org/ for info about these digital signatures. My key was last signed 6/10/2003. If you use GPG, *please* see me about signing the key. * My computer can't give you viruses by email. *** pgp0.pgp Description: PGP signature
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, 25 Sep 2003, Micah J. Cowan wrote: > Do you know of banks that let you choose two different PINs, one for > online, one for ATM? That'd be nice... Unionbank. Not really a PIN online - more like a password. I got rid of the online thing, though, 'cuz you pay for it and I didn't need it. > -Mciah -Mrak -- Mark K. Kim http://www.cbreak.org/ PGP key available on the website PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 02:52:48PM -0700, Jeff Newmiller wrote: > > I get about three or four nigerian scam messages per day, on average, at > my personal email address. I got about 8 today. Since SoBIG died down, that's about ALL the vox* lists have been getting, so far as spam, lately. (I found a neat JavaScript URL you can pump into Mozilla that checks all of the 'Discard' form buttons in the mailmain admin page. Really helps when I go in every couple of days to wipe 'em out.) -bill! -- [EMAIL PROTECTED] Got kids? Get Tux Paint! http://newbreedsoftware.com/bill/ http://newbreedsoftware.com/tuxpaint/ ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 11:45:04AM -0700, David Margolis wrote:
> My wife and I talked about how tragic it would be if an elderly
> person answered, or a mentally disabled person, or anybody else who
> otherwise might be a bit easier to take advantage of. They were very good
> at the scam.
We just received a call ('unknown' on caller ID, so the ans. mach. got it)
with a messaging saying "Yeah, we've been trying to reach you, but I guess
we'll go ahead and leave a message. Since you've been paying your
mortgage on time..."
That's when I said "hang up on 'em". :) We rent an apartment. :)
> The lady (it seemed like the same lady everytime) even left a phone
> number. When you called the number, it would be her on an answering
> machine telling you to _go ahead and leave your name and social security
> number_ at the tone.
Okay, that's just desparate, on their (the scammers') part. :^)
> For what it's worth, from an HTTP/URI and JavaScript point of view, this
> scam is clever, especially when it redirects the parent window back to the
> REAL citibank site (that is just an excellent touch).
I gotta admit, I agree.
-bill!
--
[EMAIL PROTECTED] Got kids? Get Tux Paint!
http://newbreedsoftware.com/bill/ http://newbreedsoftware.com/tuxpaint/
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, 25 Sep 2003 [EMAIL PROTECTED] wrote: > On Thu 25 Sep 03, 12:09 PM, Donald Childs <[EMAIL PROTECTED]> said: > > Has this been submitted to Citibank or the > > it's been reported to [EMAIL PROTECTED] i've been toying around with > reporting it to FBI since i'm fairly sure this WILL catch people, and > it's not a silly pyramid scheme (remember those?) or nigerian scam (even > those are starting to fade away). i just need to look into who at the > FBI gets this sort of stuff. I get about three or four nigerian scam messages per day, on average, at my personal email address. I got about 8 today. I used to collect them, because there seemed to be so many variations, but I lost interest awhile ago. Anyway, they don't seem to be fading from my home emailbox. (My work email rarely gets them.) --- Jeff NewmillerThe . . Go Live... DCN:<[EMAIL PROTECTED]>Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 13:58:13PM -0700, Micah J. Cowan wrote: > On Thu, Sep 25, 2003 at 09:33:08AM -0700, Michael J Wenk wrote: > > > > Also, guess it doesn't hurt to say that you should never have your PIN > > for online banking match the one for your ATM. Or if you're forced, be > > bloody sure that the site you enter it, really is your bank's site. > > Do you know of banks that let you choose two different PINs, one for > online, one for ATM? That'd be nice... Golden 1. In fact, my ATM pin and my "Telephone Teller" passcode are different (even different lengths), and my online password includes letters and symbols. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 11:07:39AM -0700, Michael J Wenk wrote: > On Thu, Sep 25, 2003 at 10:57:25AM -0700, Mark K. Kim wrote: > > I think what you've described is the URI. URL is supposed to be a subset > > of URI, whatever that means. I personally don't care but I wouldn't mind > > knowing what that means if anyone else knows. > > > I referred to an RFC that desribes URIs, which I did at one time > read(several years ago), or perhaps I read it in a book, I forget. In > any event, a URI is the identifier portion of the URL. It tells you > what resource you are trying to get, but not how to get it. In simpler > terms it would be everything to the right of the :// in URL. I suggest > you check the RFC I referenced, as I may be off a bit. Absolutely untrue, actually. As Mark said, URL is a subset of URI, not vice versa. No part of a URL is a URI; all of a URL is always a URI. A URI (Universal Resource Identifier) is a superset of URL (Universal Resource Identifier), including one other type of identifier (which can sometimes overlap URL), URN (Universal Resource Name). URNs are beasts which refer to a resource by identifying them uniquely, not (necessarily) specifying where they exist. There are several schemes in existence, but most of them have yet to be put into practice. One noticeable exception is "persistent URLs", which is a URL that is expected to persist over time. The stuff to the left of the first ":" in a URI (URNs have 'em too) is called the "scheme". HTH, Micah ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 09:33:08AM -0700, Michael J Wenk wrote: > On Thu, Sep 25, 2003 at 08:17:52AM -0700, [EMAIL PROTECTED] wrote: > > On Thu 25 Sep 03, 10:46 AM, Rob Rogers <[EMAIL PROTECTED]> said: > > > On Thu, Sep 25, 2003 at 07:24:56AM -0700, [EMAIL PROTECTED] wrote: > > > > > > > > i didn't know this. so, an URL is of the form: > > > > > > > > URL = user:[EMAIL PROTECTED] > > > > > > > > where lowercase "url" is what i used to think of as being an url. and > > > > the "user:password@" portion is optional. > > > > > > Right. You've probably even seen it for an ftp url...works the same way > > > for http, just not seen as often. > > > > aha. thanks! > > > > > As a side note, Opera gave me the following in a popup when I tried to > > > click on your URL > > > > > > Security warning: > > > > > > You are about to go to an address containing a username. > > > > > > Username: www.citibank.com > > > Server: a3ksd.pisem.net > > > > > > Are you sure you want to go to this address? > > > > yeah, i got that too (i'm on opera). > > > > i was convinced the email was a fraud by looking at it. i know banks > > don't ask for PIN's. they go through great lengths not to know your PIN > > when you create the account. for instance, washing mutual has a machine > > you enter your PIN into, and the teller has to walk at least 3 feet away > > and turn around before you punch your number in. > > > > but i was so darned curious, i had to investigate! > > > > pete > > Also, guess it doesn't hurt to say that you should never have your PIN > for online banking match the one for your ATM. Or if you're forced, be > bloody sure that the site you enter it, really is your bank's site. Do you know of banks that let you choose two different PINs, one for online, one for ATM? That'd be nice... > > Oh, URI stands for Uniform Resource Identifier (see RFC 2396 for > details) Yeah, it does... but what does that have to do with anything? All of the URIs he cited are also valid URLs, so he's perfectly right to refer to them as such, if that's what you're getting at. Also, the difference is mostly theoretical, as I haven't seen many (any?) REAL URNs in the wild, except for "persistent URLs". -Mciah ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
RE: [vox-tech] one of the most pernicious spams i've ever seen.
> I thought the Secret Service for the most part was the group that > investigated computer crime. Or am I behind the times? You're right. I remember the Bee doing a story in 09/2002 about the Secret Service Sacramento Branch investigating a variation on the Nigerian Banking scam. "Trail of Nigerian bank scheme leads agent right back home, September 24, 2002, By Edgar Sanchez" The Secret Service , according to the task force staff page, http://www.sachitechcops.org/agencies.htm , has 2 agents participating. I imagine that the task force serves as a "clearinghouse" for all "computer/electronic/internet" crimes that occur in the participating jurisdictions, so as to make it simpler for people to report crimes to one agency, vs. trying to ascertain the appropriate law enforcement agency to contact. The Bee solicits "scam" stories. Edgar Sanchez mailto:[EMAIL PROTECTED] used to cover them. (916)321-1132 or mailto:[EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Michael J Wenk > Sent: Thursday, September 25, 2003 1:08 PM > To: [EMAIL PROTECTED] > Subject: Re: [vox-tech] one of the most pernicious spams i've ever seen. > > > On Thu, Sep 25, 2003 at 12:22:43PM -0700, [EMAIL PROTECTED] wrote: > > On Thu 25 Sep 03, 12:09 PM, Donald Childs <[EMAIL PROTECTED]> said: > > > Has this been submitted to Citibank or the > > > > it's been reported to [EMAIL PROTECTED] i've been toying around with > > reporting it to FBI since i'm fairly sure this WILL catch people, and > > it's not a silly pyramid scheme (remember those?) or nigerian scam (even > > those are starting to fade away). i just need to look into who at the > > FBI gets this sort of stuff. > > I thought the Secret Service for the most part was the group that > investigated computer crime. Or am I behind the times? > > > > Sacramento Valley Hi-Tech Crimes Task Force ( > > > http://www.sachitechcops.org/ )? > > > > wow. awesome. i wouldn't mind working for a group like that. it > > sounds interesting. > > > > but would they care? pisem.net is in russia and we're now living in new > > jersey... :) > > Well, it depends I guess, I wouldn't bet against russia cooperating in > this, its pretty much out and out identity theft, not like its a > copyright violation or anything. :) > > In any event, would depend how widespread this is, and how much money > could conceivably be stolen. > > Mike > ___ > vox-tech mailing list > [EMAIL PROTECTED] > http://lists.lugod.org/mailman/listinfo/vox-tech > > ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On 2003.09.25 07:46, Rob Rogers wrote: On Thu, Sep 25, 2003 at 07:24:56AM -0700, [EMAIL PROTECTED] wrote: > > i didn't know this. so, an URL is of the form: > > URL = user:[EMAIL PROTECTED] > > where lowercase "url" is what i used to think of as being an url. and > the "user:password@" portion is optional. Right. You've probably even seen it for an ftp url...works the same way for http, just not seen as often. As a side note, Opera gave me the following in a popup when I tried to click on your URL Security warning: You are about to go to an address containing a username. Username: www.citibank.com Server: a3ksd.pisem.net Are you sure you want to go to this address? This would be a nice feature for the open source browsers (some may even have it already...I'm stuck on Windows at the moment, so I can't check) Galeon does not do this. I think I'll file a wishlist item for it on Debian's BTS. -- I usually have a GPG digital signature included as an attachment. See http://www.gnupg.org/ for info about these digital signatures. My key was last signed 6/10/2003. If you use GPG, *please* see me about signing the key. * My computer can't give you viruses by email. *** pgp0.pgp Description: PGP signature
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 12:22:43PM -0700, [EMAIL PROTECTED] wrote: > On Thu 25 Sep 03, 12:09 PM, Donald Childs <[EMAIL PROTECTED]> said: > > Has this been submitted to Citibank or the > > it's been reported to [EMAIL PROTECTED] i've been toying around with > reporting it to FBI since i'm fairly sure this WILL catch people, and > it's not a silly pyramid scheme (remember those?) or nigerian scam (even > those are starting to fade away). i just need to look into who at the > FBI gets this sort of stuff. I thought the Secret Service for the most part was the group that investigated computer crime. Or am I behind the times? > > Sacramento Valley Hi-Tech Crimes Task Force ( > > http://www.sachitechcops.org/ )? > > wow. awesome. i wouldn't mind working for a group like that. it > sounds interesting. > > but would they care? pisem.net is in russia and we're now living in new > jersey... :) Well, it depends I guess, I wouldn't bet against russia cooperating in this, its pretty much out and out identity theft, not like its a copyright violation or anything. :) In any event, would depend how widespread this is, and how much money could conceivably be stolen. Mike ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
[EMAIL PROTECTED] wrote: > On Thu 25 Sep 03, 12:09 PM, Donald Childs <[EMAIL PROTECTED]> said: > > Has this been submitted to Citibank or the > > it's been reported to [EMAIL PROTECTED] The post on the dubious account/pin form gets transmitted to blades.netnation.com. I sent a message to Netnation about this, and hopefully they'll close the cgi account. > i've been toying around with > reporting it to FBI since i'm fairly sure this WILL catch people, and > it's not a silly pyramid scheme (remember those?) or nigerian scam (even > those are starting to fade away). i just need to look into who at the > FBI gets this sort of stuff. > > > Sacramento Valley Hi-Tech Crimes Task Force ( > > http://www.sachitechcops.org/ )? > > wow. awesome. i wouldn't mind working for a group like that. it > sounds interesting. > > but would they care? pisem.net is in russia and we're now living in new > jersey... :) > > pete > > > > > -Donald > > -- > GPG Instructions: http://www.dirac.org/linux/gpg > GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D > ___ > vox-tech mailing list > [EMAIL PROTECTED] > http://lists.lugod.org/mailman/listinfo/vox-tech ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
RE: [vox-tech] one of the most pernicious spams i've ever seen.
> i just need to look into who at the > FBI gets this sort of stuff. I think the FBI is a participating member of the task force http://www.sachitechcops.org/agencies.htm Hopeful, Citibank folks who read the abuse email will move to protect their customers. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] > Sent: Thursday, September 25, 2003 12:23 PM > To: [EMAIL PROTECTED] > Subject: Re: [vox-tech] one of the most pernicious spams i've ever seen. > > > On Thu 25 Sep 03, 12:09 PM, Donald Childs <[EMAIL PROTECTED]> said: > > Has this been submitted to Citibank or the > > it's been reported to [EMAIL PROTECTED] i've been toying around with > reporting it to FBI since i'm fairly sure this WILL catch people, and > it's not a silly pyramid scheme (remember those?) or nigerian scam (even > those are starting to fade away). i just need to look into who at the > FBI gets this sort of stuff. > > > Sacramento Valley Hi-Tech Crimes Task Force ( > > http://www.sachitechcops.org/ )? > > wow. awesome. i wouldn't mind working for a group like that. it > sounds interesting. > > but would they care? pisem.net is in russia and we're now living in new > jersey... :) > > pete > > > > > -Donald > > > -- > GPG Instructions: http://www.dirac.org/linux/gpg > GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D > ___ > vox-tech mailing list > [EMAIL PROTECTED] > http://lists.lugod.org/mailman/listinfo/vox-tech > > ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu 25 Sep 03, 12:09 PM, Donald Childs <[EMAIL PROTECTED]> said: > Has this been submitted to Citibank or the it's been reported to [EMAIL PROTECTED] i've been toying around with reporting it to FBI since i'm fairly sure this WILL catch people, and it's not a silly pyramid scheme (remember those?) or nigerian scam (even those are starting to fade away). i just need to look into who at the FBI gets this sort of stuff. > Sacramento Valley Hi-Tech Crimes Task Force ( > http://www.sachitechcops.org/ )? wow. awesome. i wouldn't mind working for a group like that. it sounds interesting. but would they care? pisem.net is in russia and we're now living in new jersey... :) pete > > -Donald -- GPG Instructions: http://www.dirac.org/linux/gpg GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
RE: [vox-tech] one of the most pernicious spams i've ever seen.
Has this been submitted to Citibank or the Sacramento Valley Hi-Tech Crimes Task Force ( http://www.sachitechcops.org/ )? -Donald > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] > Sent: Thursday, September 25, 2003 6:31 AM > To: [EMAIL PROTECTED] > Subject: [vox-tech] one of the most pernicious spams i've ever seen. > > > hi all, > > rhonda received this email last night. > > when you feed a browser the given url, the citibank page comes up. but > you also get a small page with a form that asks for your bank account > number and PIN. > > i had to do a double take. we DO have a citibank account via an > investment account we have. > > on one hand, a bank *NEVER* asks you for your PIN. even in person when > you're at the bank. So they certainly wouldn't ask you for a PIN over > the net. > > they also slip up and go between "citibank" and "citybank". > > they also mispell "becaurse". > > the email is misformatted and not sent from a citibank.com address. > they didn't even try to add bogus headers. it just doesn't look real. > the whole thing is amateurish. > > > but the URL is what made me do a double take. i've never seen that > before. they somehow managed to get a "www.citibank.com" url, tack on > some wierd characters, and obviously put up some kind of page that > piggybacks(?) on citibank.com. it's a nice effect. i'm absolutely > certain this will fool some non-savy people. > > > my question is -- how is this done? how does this URL: > > http://www.citibank.com:[EMAIL PROTECTED] > M.NeT/3/?IYTEw > 4eVTtbH1w6CpDrT > > bring up citibank.com's webpage and then another page with the > account/PIN grabber? i've never seen anything like this before. > > pete > > > > > --- Verify <[EMAIL PROTECTED]> wrote: > > X-Apparently-To: [EMAIL PROTECTED] via > > 216.136.173.101; Wed, 24 Sep 2003 17:09:51 -0700 > > X-YahooFilteredBulk: 68.81.128.134 > > Return-Path: <[EMAIL PROTECTED]> > > Received: from 68.81.128.134 (HELO > > pcp01335001pcs.fairmt01.pa.comcast.net) > > (68.81.128.134) > > by mta109.mail.sc5.yahoo.com with SMTP; Wed, 24 > > Sep 2003 17:09:50 -0700 > > Received: from three.serpentine.com [129.134.135.20] > > by pcp01335001pcs.fairmt01.pa.comcast.net (Postfix) > > with ESMTP id D97F786D2469 for <[EMAIL PROTECTED]>; > > Thu, 25 Sep 2003 08:09:43 + > > Date: Thu, 25 Sep 2003 08:09:43 + > > From: Verify <[EMAIL PROTECTED]> > > Subject: Citibank E-mail Verification > > To: BAKEY17 <[EMAIL PROTECTED]> > > References: <[EMAIL PROTECTED]> > > In-Reply-To: <[EMAIL PROTECTED]> > > Message-ID: <[EMAIL PROTECTED]> > > Reply-to: Verify <[EMAIL PROTECTED]> > > Sender: Verify <[EMAIL PROTECTED]> > > MIME-Version: 1.0 > > Content-Type: text/plain > > Content-Transfer-Encoding: 8bit > > Content-Length: 926 > > > > Dear Citibank Member, > > > > This email was sent by the Citibank server to verify > > your e-mail address. You must > > complete this process by clicking on the link below > > and entering in the small window > > your Citibank ATM/Debit Card number and PIN that you > > use on ATM. > > This is done for your protection --- becaurse some > > of our members no longer have access > > to their email addresses and we must verify it. > > > > To verify your e-mail address and access your > > account, > > click on the link below. If nothing happens when you > > click on the > > link (or if you use AOL), copy and paste the link > > into the address bar of > > your web browser. > > > > > > > http://www.citibank.com:[EMAIL PROTECTED] M.NeT/3/?IYTEw4eVTtbH1w6CpDrT > > > - > Thank you for using Citibank! > - > > This automatic email sent to: [EMAIL PROTECTED] > Do not reply to this email. - End forwarded message - -- GPG Instructions: http://www.dirac.org/linux/gpg GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, 25 Sep 2003, Rob Rogers wrote: > > Name > CC# > CCV (that 3 digit number at the end of the signature panel) > Pin # > Mother's maiden name. > MSN Acct name > MSN password > Social security # > My wife and I got some phone calls like this a few months ago. When they'd call, they'd say that they were from wells fargo (we don't have wells fargo, but 50% of californians probably do) and they'd say there was a problem with my account, and they needed to verify some information. They'd ask for my mother's maiden name, last four digits of SSN, etc. They'd say _are you still living at 123 front st._ hoping you'd say, _no, i live at XXX whatever street_. It was all very strategic and well done. Any stupid, optimistic, or gullible, person would just start spouting out personal info. My wife and I talked about how tragic it would be if an elderly person answered, or a mentally disabled person, or anybody else who otherwise might be a bit easier to take advantage of. They were very good at the scam. The lady (it seemed like the same lady everytime) even left a phone number. When you called the number, it would be her on an answering machine telling you to _go ahead and leave your name and social security number_ at the tone. We reported this all to the police and never heard back from them (what do you expect?). Us security minded folk are probably not very sucepible to this type of scam (if you use SSH or GPG, you're probably smart/paranoid enough to be safe), but think how many people online are. Sometimes I want to say _screw 'em if they aren't smart enough to not get scammed_ but then I think of my dad who calls me to complain about the button on his webpage that says _speed up you internet connection by clicking here_ not working, and I guess I have to be a little more forgiving of the technically challenged (not to say that tech-saavy folks are always security-saavy, but whatever). For what it's worth, from an HTTP/URI and JavaScript point of view, this scam is clever, especially when it redirects the parent window back to the REAL citibank site (that is just an excellent touch). Dave M. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 10:57:25AM -0700, Mark K. Kim wrote:
> I think what you've described is the URI. URL is supposed to be a subset
> of URI, whatever that means. I personally don't care but I wouldn't mind
> knowing what that means if anyone else knows.
I referred to an RFC that desribes URIs, which I did at one time
read(several years ago), or perhaps I read it in a book, I forget. In
any event, a URI is the identifier portion of the URL. It tells you
what resource you are trying to get, but not how to get it. In simpler
terms it would be everything to the right of the :// in URL. I suggest
you check the RFC I referenced, as I may be off a bit.
>
>
> On Thu, 25 Sep 2003, Mitch Patenaude wrote:
>
> > > i didn't know this. so, an URL is of the form:
> > >
> > > URL = user:[EMAIL PROTECTED]
> > >
> > > where lowercase "url" is what i used to think of as being an url. and
> > > the "user:password@" portion is optional.
> >
> > in Pseudo-BNF a URL spec looks something like
> >
> > ://[[:[EMAIL PROTECTED][:]/
> > [{/}][?[=value]{&[=value]}]
> >
> > and everthing after the server/port is called a URI (Uniform Resource
> > Indicator? I think) which iteslf can be broken down into a "PATH" and
> > a "QUERY_STRING" (a la cgi environment variables.)
> >
> > I used to work for a company that made web tracking software, so I got
> > to know the URL spec pretty well.
> >
> > -- Mitch
> >
> > ___
> > vox-tech mailing list
> > [EMAIL PROTECTED]
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> >
>
> --
> Mark K. Kim
> http://www.cbreak.org/
> PGP key available on the website
> PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE
>
> ___
> vox-tech mailing list
> [EMAIL PROTECTED]
> http://lists.lugod.org/mailman/listinfo/vox-tech
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
I think what you've described is the URI. URL is supposed to be a subset
of URI, whatever that means. I personally don't care but I wouldn't mind
knowing what that means if anyone else knows.
-Mark
On Thu, 25 Sep 2003, Mitch Patenaude wrote:
> > i didn't know this. so, an URL is of the form:
> >
> > URL = user:[EMAIL PROTECTED]
> >
> > where lowercase "url" is what i used to think of as being an url. and
> > the "user:password@" portion is optional.
>
> in Pseudo-BNF a URL spec looks something like
>
> ://[[:[EMAIL PROTECTED][:]/
> [{/}][?[=value]{&[=value]}]
>
> and everthing after the server/port is called a URI (Uniform Resource
> Indicator? I think) which iteslf can be broken down into a "PATH" and
> a "QUERY_STRING" (a la cgi environment variables.)
>
> I used to work for a company that made web tracking software, so I got
> to know the URL spec pretty well.
>
> -- Mitch
>
> ___
> vox-tech mailing list
> [EMAIL PROTECTED]
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
--
Mark K. Kim
http://www.cbreak.org/
PGP key available on the website
PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 09:47:00AM -0700, R. Douglas Barbieri wrote: > On Thu, Sep 25, 2003 at 06:30:32AM -0700, [EMAIL PROTECTED] wrote: > > http://www.citibank.com:[EMAIL PROTECTED]/3/?IYTEw > > 4eVTtbH1w6CpDrT > > This has me flabbergasted. I bet this trick worked very well for the > scammers. I mean, even though the email is amateurish, the web page > looks totally legit. I tested this out in konqueror; hovering over any > link on the page shows that it would be redirected through PsSeM.NeT. > > I remember seeing something like this during the dot bomb. There was a > website called something like safeweb.com (I can't remember the actual > name, it's on the tip of my tounge). The idea was for you to be able to > surf the web using https--the https server would "wrap" all of the > target links on a page before serving it to your browser via https--I > guess a kind of web tunneling. Oh well, never mind. You would think I would look a little closer. It's not wrapping, it's doing a popup--and I normally have popups disabled. This isn't as bad as I thought, but it still should have fooled a lot of people. > -- > R. Douglas Barbieri > [EMAIL PROTECTED] > http://www.dooglio.net > > vi: "The way God meant for man to edit text files..." > > GPG Fingerprint: FE6A 6A57 2B95 7594 E534 BFEE 45F1 9E5E F30A 8A27 > GPG Public key : http://www.dooglio.net/dooglio.asc -- R. Douglas Barbieri [EMAIL PROTECTED] http://www.dooglio.net vi: "The way God meant for man to edit text files..." GPG Fingerprint: FE6A 6A57 2B95 7594 E534 BFEE 45F1 9E5E F30A 8A27 GPG Public key : http://www.dooglio.net/dooglio.asc pgp0.pgp Description: PGP signature
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 06:30:32AM -0700, [EMAIL PROTECTED] wrote: > http://www.citibank.com:[EMAIL PROTECTED]/3/?IYTEw > 4eVTtbH1w6CpDrT This has me flabbergasted. I bet this trick worked very well for the scammers. I mean, even though the email is amateurish, the web page looks totally legit. I tested this out in konqueror; hovering over any link on the page shows that it would be redirected through PsSeM.NeT. I remember seeing something like this during the dot bomb. There was a website called something like safeweb.com (I can't remember the actual name, it's on the tip of my tounge). The idea was for you to be able to surf the web using https--the https server would "wrap" all of the target links on a page before serving it to your browser via https--I guess a kind of web tunneling. -- R. Douglas Barbieri [EMAIL PROTECTED] http://www.dooglio.net vi: "The way God meant for man to edit text files..." GPG Fingerprint: FE6A 6A57 2B95 7594 E534 BFEE 45F1 9E5E F30A 8A27 GPG Public key : http://www.dooglio.net/dooglio.asc pgp0.pgp Description: PGP signature
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 08:17:52AM -0700, [EMAIL PROTECTED] wrote: > On Thu 25 Sep 03, 10:46 AM, Rob Rogers <[EMAIL PROTECTED]> said: > > On Thu, Sep 25, 2003 at 07:24:56AM -0700, [EMAIL PROTECTED] wrote: > > > > > > i didn't know this. so, an URL is of the form: > > > > > > URL = user:[EMAIL PROTECTED] > > > > > > where lowercase "url" is what i used to think of as being an url. and > > > the "user:password@" portion is optional. > > > > Right. You've probably even seen it for an ftp url...works the same way > > for http, just not seen as often. > > aha. thanks! > > > As a side note, Opera gave me the following in a popup when I tried to > > click on your URL > > > > Security warning: > > > > You are about to go to an address containing a username. > > > > Username: www.citibank.com > > Server: a3ksd.pisem.net > > > > Are you sure you want to go to this address? > > yeah, i got that too (i'm on opera). > > i was convinced the email was a fraud by looking at it. i know banks > don't ask for PIN's. they go through great lengths not to know your PIN > when you create the account. for instance, washing mutual has a machine > you enter your PIN into, and the teller has to walk at least 3 feet away > and turn around before you punch your number in. > > but i was so darned curious, i had to investigate! > > pete Also, guess it doesn't hurt to say that you should never have your PIN for online banking match the one for your ATM. Or if you're forced, be bloody sure that the site you enter it, really is your bank's site. Oh, URI stands for Uniform Resource Identifier (see RFC 2396 for details) Mike ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 06:30:32AM -0700, [EMAIL PROTECTED] wrote: > on one hand, a bank *NEVER* asks you for your PIN. even in person when > you're at the bank. So they certainly wouldn't ask you for a PIN over > the net. My bank (Wells Fargo) does over the phone (automated); I'm also requested to enter it sometimes on a keypad in person (they would never ask for me to pronounce it, of course), so I wouldn't have been too surprised. > my question is -- how is this done? how does this URL: > > http://www.citibank.com:[EMAIL PROTECTED]/3/?IYTEw > 4eVTtbH1w6CpDrT Not a citibank.com URL, it's a pisem.net URL. Look more closely (haven't read any of the other responses yet, but I'm sure I'm not the first to point this out). Pretty sneaky, huh? > bring up citibank.com's webpage and then another page with the > account/PIN grabber? i've never seen anything like this before. Not sure how that's done, but I'm pretty sure that if you completely restart your browser it won't happen. -Micah ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu 25 Sep 03, 10:46 AM, Rob Rogers <[EMAIL PROTECTED]> said: > On Thu, Sep 25, 2003 at 07:24:56AM -0700, [EMAIL PROTECTED] wrote: > > > > i didn't know this. so, an URL is of the form: > > > > URL = user:[EMAIL PROTECTED] > > > > where lowercase "url" is what i used to think of as being an url. and > > the "user:password@" portion is optional. > > Right. You've probably even seen it for an ftp url...works the same way > for http, just not seen as often. aha. thanks! > As a side note, Opera gave me the following in a popup when I tried to > click on your URL > > Security warning: > > You are about to go to an address containing a username. > > Username: www.citibank.com > Server: a3ksd.pisem.net > > Are you sure you want to go to this address? yeah, i got that too (i'm on opera). i was convinced the email was a fraud by looking at it. i know banks don't ask for PIN's. they go through great lengths not to know your PIN when you create the account. for instance, washing mutual has a machine you enter your PIN into, and the teller has to walk at least 3 feet away and turn around before you punch your number in. but i was so darned curious, i had to investigate! pete -- GPG Instructions: http://www.dirac.org/linux/gpg GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 07:36:13AM -0700, Mitch Patenaude wrote: > I've seen a lot of these (my email address is 7 years old.. and has > been published a lot. I get a lot of spam). > > Bruce Schneier called these "URL semantic attacks", but now that I've > heard it, I like phishing better. I've seen a couple of really devious > variations. Both of these require HTML email. (I know.. it's evil, but > common) both had an apparently perfectly valid looking ebay or paypal > URL, but when clicked on went to www.eboy.net and www.paypa1.com > (that's a 1 in the second URL, not an "L"). > > The ways they achieved the perfectly looking URL were: > > 1) The entire message (supposedly) from ebay was actually an > image/link, not just the blue underlined text. (but I didn't know this > until I followed it.. I knew it was a scam, but I wanted to see how it > worked.) > > 2) The "URL" was actually inside another tag. They > scammers had just escaped the brackets. > > I'm thoroughly convinced that most people don't have the technical > savvy to try to detect URL fraud, and so must be trained to do so > contextually rather than technically (Why would my bank send me an > email asking for my PIN, especially since I didn't give them this email > address.) I figure that most geeks aren't going to fall for this, but > I imagine that a lot of identity theft occurs this way. I think people need to learn to be wary of giving out ANY personal info online no matter what the circumstances. The most common cases of phishing do seem to go after ebay/papal, and the larger ISPs (mainly AOL and MSN). One recent one posing as an MSN page came as an email saying your credit card charge didn't go through, and your MSN account would be canceled if you didn't update your info. On the page it asked for: Name CC# CCV (that 3 digit number at the end of the signature panel) Pin # Mother's maiden name. MSN Acct name MSN password Social security # I don't see how you could not be suspicious at giving away that much info, but there were a couple dozen people taken in by it. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 07:24:56AM -0700, [EMAIL PROTECTED] wrote: > > i didn't know this. so, an URL is of the form: > > URL = user:[EMAIL PROTECTED] > > where lowercase "url" is what i used to think of as being an url. and > the "user:password@" portion is optional. Right. You've probably even seen it for an ftp url...works the same way for http, just not seen as often. As a side note, Opera gave me the following in a popup when I tried to click on your URL Security warning: You are about to go to an address containing a username. Username: www.citibank.com Server: a3ksd.pisem.net Are you sure you want to go to this address? This would be a nice feature for the open source browsers (some may even have it already...I'm stuck on Windows at the moment, so I can't check) ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
i didn't know this. so, an URL is of the form:
URL = user:[EMAIL PROTECTED]
where lowercase "url" is what i used to think of as being an url. and
the "user:password@" portion is optional.
in Pseudo-BNF a URL spec looks something like
://[[:[EMAIL PROTECTED][:]/
[{/}][?[=value]{&[=value]}]
and everthing after the server/port is called a URI (Uniform Resource
Indicator? I think) which iteslf can be broken down into a "PATH" and
a "QUERY_STRING" (a la cgi environment variables.)
I used to work for a company that made web tracking software, so I got
to know the URL spec pretty well.
-- Mitch
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
I've seen a lot of these (my email address is 7 years old.. and has been published a lot. I get a lot of spam). Bruce Schneier called these "URL semantic attacks", but now that I've heard it, I like phishing better. I've seen a couple of really devious variations. Both of these require HTML email. (I know.. it's evil, but common) both had an apparently perfectly valid looking ebay or paypal URL, but when clicked on went to www.eboy.net and www.paypa1.com (that's a 1 in the second URL, not an "L"). The ways they achieved the perfectly looking URL were: 1) The entire message (supposedly) from ebay was actually an image/link, not just the blue underlined text. (but I didn't know this until I followed it.. I knew it was a scam, but I wanted to see how it worked.) 2) The "URL" was actually inside another tag. They scammers had just escaped the brackets. I'm thoroughly convinced that most people don't have the technical savvy to try to detect URL fraud, and so must be trained to do so contextually rather than technically (Why would my bank send me an email asking for my PIN, especially since I didn't give them this email address.) I figure that most geeks aren't going to fall for this, but I imagine that a lot of identity theft occurs this way. -- Mitch ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu 25 Sep 03, 9:49 AM, Rob Rogers <[EMAIL PROTECTED]> said: > On Thu, Sep 25, 2003 at 06:30:32AM -0700, [EMAIL PROTECTED] wrote: > > > > my question is -- how is this done? how does this URL: > > > > http://www.citibank.com:[EMAIL PROTECTED]/3/?IYTEw > > 4eVTtbH1w6CpDrT > > > > bring up citibank.com's webpage and then another page with the > > account/PIN grabber? i've never seen anything like this before. > > If you break down that url it looks like: > > www.citibank.com <- username > : <- seperator > ac=VybznNffNxknAUxPrfE2jYaQUptJ <- password > @ <- at (duh) > a3ksd.PiSeM.NeT <- servername > /3/?IYTEw4eVTtbH1w6CpDrT <- misc crap > > And doing a wget on that url gives me this (comments added) > > > > http://citibank.com/us/index.htm";> > > > > i didn't know this. so, an URL is of the form: URL = user:[EMAIL PROTECTED] where lowercase "url" is what i used to think of as being an url. and the "user:password@" portion is optional. pete -- GPG Instructions: http://www.dirac.org/linux/gpg GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 09:49:45AM -0400, Rob Rogers wrote: > On Thu, Sep 25, 2003 at 06:30:32AM -0700, [EMAIL PROTECTED] wrote: > > when you feed a browser the given url, the citibank page comes up. but > > you also get a small page with a form that asks for your bank account > > number and PIN. > [snip] > > my question is -- how is this done? how does this URL: > > > > http://www.citibank.com:[EMAIL PROTECTED]/3/?IYTEw > > 4eVTtbH1w6CpDrT > > > > bring up citibank.com's webpage and then another page with the > > account/PIN grabber? i've never seen anything like this before. Hit send too soon... the other thing I wanted to bring up is it's not uncommon to see this sort of URL encoded in hex after the part they want you to see. This one was confusing enough, but you'll often also see something like: http://www.citibank.com%2e%61%33%6b%73%64%2e%50%69%53%65%4d%2e%4e%65%54 which unencoded becomes http://www.citibank.com.a3ksd.PiSeM.NeT Just as in the url in your email, most people will see everything up to the first "unusual" character, and won't bother to look any further. By the way, this method of trying to steal personal info by trying to appear as coming from a legitimate company is called phishing. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
On Thu, Sep 25, 2003 at 06:30:32AM -0700, [EMAIL PROTECTED] wrote: > when you feed a browser the given url, the citibank page comes up. but > you also get a small page with a form that asks for your bank account > number and PIN. [snip] > my question is -- how is this done? how does this URL: > > http://www.citibank.com:[EMAIL PROTECTED]/3/?IYTEw > 4eVTtbH1w6CpDrT > > bring up citibank.com's webpage and then another page with the > account/PIN grabber? i've never seen anything like this before. If you break down that url it looks like: www.citibank.com <- username : <- seperator ac=VybznNffNxknAUxPrfE2jYaQUptJ <- password @ <- at (duh) a3ksd.PiSeM.NeT <- servername /3/?IYTEw4eVTtbH1w6CpDrT <- misc crap And doing a wget on that url gives me this (comments added) http://citibank.com/us/index.htm";> Even if you don't know HTML, it's fairly easy to see what it's doing. It's immediately redirecting you to the citibank page, and telling your browser to give you the popup at the same time. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] one of the most pernicious spams i've ever seen.
> my question is -- how is this done? how does this URL: > > http://www.citibank.com:[EMAIL PROTECTED]/3/?IYTEw > 4eVTtbH1w6CpDrT > Ah but you see it doesn't! It brings up the last part after the @ sign. a3ksd.PiSeM.NeT/3/?IYTEw4eVTtbH1w6CpDrT An old dirty trick used by slashdot trolls. -- error <[EMAIL PROTECTED]> ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
