- Joined
- Sep 1, 2002
- Messages
- 590
- Reaction score
- 1
I just got this message by e-mail:
Its "From" address was "[email protected]".
I could tell immediately that it was a phishing scam, not a legitimate bank message... for one thing, I don't even have an account with NatWest.
However, they seem to be more clever than most phishers; they didn't do most of the blatantly obvious stuff that usually indicates a scam, like have hyperlinks that show one URL in the visible text but actually link somewhere else entirely, like a raw IP address or a subdomain with a country code in Eastern Europe or Asia. In fact, the message was in plain text form, and the web addresses given were free of tricky stuff like username syntax obscuring where they went. They in fact wanted you to go to the site at natwest-onlinebank.com. If you actually check the WHOIS on it, you'll find that it was registered yesterday and doesn't belong to NatWest bank; however, the site at that address is a decent imitation of a real bank site (I haven't actually been to the real NatWest site, but I presume they ripped off the code from it, including a menu system that doesn't work properly in my Mozilla browser.) It has a form that asks for info like your account number, PIN, and web site password. (I filled in stuff that had no resemblance to any of my account numbers, PINs, or passwords to check that the form worked; it does.) An alert user might notice that it's all at an "http" address instead of a secure "https" one, but otherwise it's pretty realistic.
The "natwest-banking.com" domain is also recently-registered and doesn't seem to belong to the bank either; there seem to be mail headers showing that the message actually did originate on a server at that address, though such things can be faked; if the phisher owns the domain, though, the headers might be real and could prevent the message from getting filtered as fake.
What makes such scams more likely to succeed, of course, is the fact that banks really do use a bewildering assortment of Stupid Unnecessary Domain Names [tm] instead of logical subdomains of their main domain; Citibank, for instance, uses citibank.com, citi.com, citicards.com, and many others. Thus, one might easily believe that a message like this containing two different variations of "natwest-something.com" might actually be legitimate, since it's little different from the sorts of domain use banks really engage in.
Its "From" address was "[email protected]".
I could tell immediately that it was a phishing scam, not a legitimate bank message... for one thing, I don't even have an account with NatWest.
However, they seem to be more clever than most phishers; they didn't do most of the blatantly obvious stuff that usually indicates a scam, like have hyperlinks that show one URL in the visible text but actually link somewhere else entirely, like a raw IP address or a subdomain with a country code in Eastern Europe or Asia. In fact, the message was in plain text form, and the web addresses given were free of tricky stuff like username syntax obscuring where they went. They in fact wanted you to go to the site at natwest-onlinebank.com. If you actually check the WHOIS on it, you'll find that it was registered yesterday and doesn't belong to NatWest bank; however, the site at that address is a decent imitation of a real bank site (I haven't actually been to the real NatWest site, but I presume they ripped off the code from it, including a menu system that doesn't work properly in my Mozilla browser.) It has a form that asks for info like your account number, PIN, and web site password. (I filled in stuff that had no resemblance to any of my account numbers, PINs, or passwords to check that the form worked; it does.) An alert user might notice that it's all at an "http" address instead of a secure "https" one, but otherwise it's pretty realistic.
The "natwest-banking.com" domain is also recently-registered and doesn't seem to belong to the bank either; there seem to be mail headers showing that the message actually did originate on a server at that address, though such things can be faked; if the phisher owns the domain, though, the headers might be real and could prevent the message from getting filtered as fake.
What makes such scams more likely to succeed, of course, is the fact that banks really do use a bewildering assortment of Stupid Unnecessary Domain Names [tm] instead of logical subdomains of their main domain; Citibank, for instance, uses citibank.com, citi.com, citicards.com, and many others. Thus, one might easily believe that a message like this containing two different variations of "natwest-something.com" might actually be legitimate, since it's little different from the sorts of domain use banks really engage in.
