And sometimes spammers are very savvy

On the heals of the message I noted in a recent post about an ungrammatical, transparent  phishing attempt, I got another that is quite sophisticated. In the context of the problems with US financial institutions, this one refers to a very current news event: Citigroup’s purchase of Wachovia. In addition, it doesn’t baldly request that one submit his userid and password (along with name, birthdate, birthplace, and SSN), but alludes to a change in signature requirements.

I checked the link to determine whether I should alert a company that someone had compromised its server and was luring people to a remote directory on it that held malware, but the base server (birtrum.com) didn’t seem to exist. I found the domain name registered by BIZCN.COM, INC and it was deleted as of 22 October. After a quick search, I came up with only two spam-monitoring sites have the Web address under suspicion of misbehavior; that’ll probably change in the next 24 hours, but I wonder how many folks will be taken in by the ruse.

Here’s the raw source for the message (with minor editing to remove a few bits):

Return-Path:
Delivered-To: [me@ours.xxx]
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
[hosting.xxxxxx].net
X-Spam-Level: ****
X-Spam-Status: No, score=4.4 required=7.0 tests=BAYES_50,HELO_DYNAMIC_DHCP,
HTML_MESSAGE,RCVD_IN_PBL,RDNS_DYNAMIC,URIBL_BLACK autolearn=no version=3.2.5
Received: (qmail 26267 invoked from network); 22 Oct 2008 12:36:40 -0400
Received: from dsl88.230-4898.ttnet.net.tr (88.230.19.34)
by [hosting.xxxxxx].net with SMTP; 22 Oct 2008 12:36:39 -0400
Received-SPF: softfail ([hosting.xxxxxx].net: transitioning SPF record at ip4.third.spf.wachovia.com does not designate 88.230.19.34 as permitted sender)
Date: Wed, 22 Oct 2008 14:49:15 +0000
Message-ID:
From: “Wachovia connection Support Center”
To:
Subject: Wachovia Customer Support – Information about customers
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”=_J022mau4tKknPq”

This is a multi-part message in MIME format.

–=_J022mau4tKknPq
Content-Type: text/plain;
charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

WACHOVIA CORPORATION NOTICE.

Citigroup announced a buyout of Wachovia brokered by the FDIC.
All Wachovia bank locations will be in the Citigroup merger to prevent =
failure of Wachovia.
The Citigroup/Wachovia would focus on upgrading banks’ security =
certificates.
All Wachovia customers must fill the forms and complete installation of =
new Citigroup Standard digital signatures during 48 hours.
Please follow the installation steps below:

Read more>>

Sincerely, Tracey Villegas.
2008 Wachovia Corporation.
All rights reserved.
–=_J022mau4tKknPq
Content-Type: text/html;
charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

WACHOVIA CORPORATION NOTICE.

Citigroup announced a buyout of Wachovia brokered by the FDIC.
All Wachovia bank locations will be in the Citigroup merger to prevent =
failure of Wachovia.
The Citigroup/Wachovia would focus on upgrading banks’ security =
certificates.
All Wachovia customers must fill the forms and complete installation of =
new Citigroup Standard digital signatures during 48 hours.
Please follow the installation steps below:

Read =
more [removed URL]

Sincerely, Tracey Villegas.
2008 Wachovia Corporation.
All rights reserved.

–=_J022mau4tKknPq–

Here is the link, though I’ve broken it by removing the hypertext ref and inserting line feeds in a couple of spots:

commercial.wachovia.online.financial.service.carehtmlclient.
mau4tKknPq.communitypage.comreportid.birtrum.com/
support.html?/certificateUpdate/configlogin/OSL.htm?
LOB=915706323&refer=J022mau4tK

Advertisements

Leave a comment

Filed under News, Notes and comments, Technology

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s