Natwest email scam

This got caught in my mail filters ... I'm presuming it is a scam (as I'm not a NatWest customer). (XXXXXXXXXXX = my email)

Date: Fri, 24 Oct 2003 21:26:25 +0000 From: Verification To: Reply-to: Verification Subject: NatWest E-mail Verification: XXXXXXXXXXXX

Dear NatWest Bank Member, This email was sent by the NatWest server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your NatWest login ID, Password and PIN. This is done for your protection --- because some of our members no longer have access to their email addresses and we must verify it. To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link (or if you use AOL), copy and paste the link into the address bar of your web browser.

formatting link
snipped-for-privacy@vb698f.MaIl.CoM/3/?q1 1MmVEBUFvEatd -------------------------------------------- Thank you for using NatWest! -------------------------------------------- This automatic email sent to: XXXXXXXXXXX Do not reply to this email.

Thom

Reply to
Your Name
Loading thread data ...

Sorry about layout of previous msg - not posting from my normal machine.

Thom

Reply to
Thom Baguley

Date: Fri, 24 Oct 2003 21:26:25 +0000 From: Verification To: Reply-to: Verification Subject: NatWest E-mail Verification: XXXXXXXXXXXX

Dear NatWest Bank Member, This email was sent by the NatWest server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your NatWest login ID, Password and PIN. This is done for your protection --- because some of our members no longer have access to their email addresses and we must verify it. To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link (or if you use AOL), copy and paste the link into the address bar of your web browser.

formatting link
snipped-for-privacy@vb698f.MaIl.CoM/3/?q11MmVEBUFvEatd -------------------------------------------- Thank you for using atWest! -------------------------------------------- This automatic email sent to: XXXXXXXXXXX Do not reply to this email.

Thom

I wonder how that works, since the initial URL starts with natwest.com? Does the :ac=stuff afterwards somehow redirect? There is a warning on the natwest web site about this.

I tried the link, it redirects to

formatting link
and a 'page not found ' error.

Reply to
Tumbleweed

Reply to
Phil Stovell

A web url can be quoted in the form http://username: snipped-for-privacy@somedomain.com and so in this case, the trick is sending the website

formatting link
as a username and password combination so that the malicious script can identify the link that was clicked on (based on the xxxxxxx)in addition to conning innocent users into believing it is a link at natwest.

It actually loads the web site address stated after the @ sign.

There are perfectly valid applications for this technique but unfortunately it is an easy one for tricksters to exploit.

Good - it means the fake web site has been removed.

Regards Sunil

Reply to
Sunil Sood

The actual site is

formatting link
You can ignore anything before the @ sign.

Opera will warn you if you click on a link like that, anything else will just take you there.

Spamassassin will give emails that contain a URL like this +1.3 spam points. I'm considering changing this to +5, as I've never seen a legitimate email containing this.

Reply to
Jonathan Bryce

Maybe Verisign should pay more attention to the names they allow people to register and less to trying to grab the incorrect ones!

Reply to
Stephen Burke

http://username: snipped-for-privacy@somedomain.com > and so in this case, the trick is sending the website >

formatting link
as a username and password combination so > that the malicious script can identify the link that was clicked on (based > on the xxxxxxx)in addition to conning innocent users into believing it is a > link at natwest.

unfortunately

Thanks for the info, good to learn something new. Seems like with hindsight that was a bad facility to create. I wonder if a browser could be configured to reject it?

Reply to
Tumbleweed

That wouldnt help, the web site address wasnt anything to do with natwest.

Reply to
Tumbleweed

True, but it was a fairly random-looking string, and you might wonder what people want with such a site.

Reply to
Stephen Burke

"Stephen Burke" wrote

Try looking closely - the actual "dodgy" domain is actually simply "mail333.com". OK, the 333 is slightly unusual - but I'm sure it's not the weirdest domain ever registered!

Reply to
Tim

A request for an enhancement to the Mozilla browser to deal with this problem was filed on 29th Jan 2002. The request is to "Warn user if username/password in link (url) look like a hostname".

formatting link
2445 This request has gathered 66 comments but there is no record of any work on implementing it. The comments mention these other ways of fooling users

1) having the text of the link being one URL, but the actual HREF is to a different URL. 2) Using the Javascript onclick action to take a user to a page that is not the one in the link HREF.

Bruce

Reply to
Bruce Robson

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.