I guess what makes this different from most, older style, phish mails
is that ... well the URL displayed is in fact for the real NAB
website... (however it points to a invalid subdirectory link so
typing it in manually gets you a dead link message from the real NAB
web server)......
now
if you look carefully (ie you try copy and paste some text from the
body of the message you notice that rather than text it is, in fact,
an image of text.
in fact a GIF image. with a href which if you click on the actual
image you get directed somewhere else (to the phishers server in
Turkey)
Look you can open them and for, relatively, some harmless fun you
can type in any old fake details and guess what? it lets you in (but
spits you out as soon as they think they have the details they want).
if it's the kind of trivial pointless revenge thing that warms the
cockles of your black heart you could probably quite easily write a
script that fills in their form hundreds of thousands of times with
random and fake "NAB client" details and then spend the next month
chuckling to yourself that, maybe, just maybe, all their on line
orders of laptops get rejected.
Mark Secker wrote:
I've literally had hundreds of them coming via dozens dead or
dormant e-mail accounts of forwards that I have.
never ever EVER EVER open ANYTHING like this EVER EVER even if it's
from your own IT department
Further more I have NEVER EVER seen a legitimate e-mail of this
type. if they are legitimate they will tell you to ring their
service center. and even then you look that up in the white/yellow
pages rather than use any phone number they give you
A legitimate bank email will never ask you for your PIN number, net
banking details, etc - if it does, it's a scam, and should be
reported to the bank.
You should never follow a link in a message that appears to come
from a bank (or, really, anybody else for anything important for
security). Instead, use a bookmark or type in the address you know
they have. For similar reasons, if they provide a phone number to
call or address to send something to, do not use it - look up the
bank's details in the phone book instead.
It is extremely important to understand that an e-mail can appear to
come from any address of the sender's choice. If I can have your
permission I'll demonstrate this shortly by sending a message to the
WAMUG list that appears to come from you. Because sender addresses
are so trivially faked, you can not trust that a message is from the
person it appears to be from, and should generally be suspicious of
any message, no matter who it's from, that asks for security
details, personal details, or asks you to take actions like open an
attachment, visit a website, or perform tasks on your computer.
Sucks, doesn't it?
--
Craig Ringer
