TCS - Identity Theft

Identity Theft

by Don Singleton
Tulsa Computer Society
From the July 2004 issue of the I/O Port Newsletter

Citibank

I received a message, supposedly from user-billing45@citibank.com with a subject of "!official Notice for all users of Citibank".

The actual URL was encrypted as http://%38%31%2E%32%30%38%2E%33%31%2E%31%37%33:%34%39%30%33/%63%69%74/%69%6E%64%65%78%2E%68%74%6D which is http://81.208.31.173:4903 which is in Germany.

The server was not operational when I checked it.

PayPal

Clicking on the Click Here to secure your account link would take you to http://aris.ffk.hr/.paypal/login.html which is in Croatia (HR is for Hrvatska), as VisualRoute shows:

Another about PayPal

Note they tried to include the PayPal logo, but they were not successful. Clicking on the link would take you to http://paypal.vr-fy.com:1211/isapi/.....

The vr-fy.com domain was registered on June 24 (I got the message on June 27), but there was no server online when I got it, so I can't tell where the server is.

Ebay Account Update!

Some are so obvious it amazes me people would think anyone would be fooled by them. For example:

Sie erhalten das Ergebnis Ihres Feedback-Formulars.
Es wurde gesendet von
(L9ZL6K@ebay.com) on Freitag, den 11. Juni 2004 um 02:19:59

: :Dear Member

We Here at Ebay, are sorry to inform you that we are having problem's with the billing information on your account. We would appreciate it if you would goto our website and fill out the proper information that we need to keep you as an Ebay member.

Please Update your account information by visiting our updates web site below.

Steve Johnson.
Billing Updates Center
Acoount Updates Team.

http://updatesaccount.tripod.com/ebayupdate1.htm

FHZJD1.

We do hope to continue doing business with you.

The referenced URL clearly is not related to eBay, and the webpage is not even present:

US Bank

The link actually would take you to http://www.pll8782.info/faq_files/approved/index.html. As you see from this graphic, when you go to that page they tried to overlay the URL with a block that said https://www.usbank.com/secure/-run (see the red 1), but the way my browser was set up, the real url is visibls (see the red 2).

http://www.afilias.info/cgi-bin/whois.cgi shows that the domain pll8782.info was registered on June 10 (I received this email on June 11), and as VisualRoute shows the server is in China.

On June 15 I got another copy of this same message, and this time clicking on the link would have taken me to http://www.bis1bp.com/a12/index.html. The server was not online when I tried it, but the domain name was just registered on June 11.

On June 22 I got another copy of this same message, and this time clicking on the link would have taken me to http://testme.3322.org/faq/bin/index.html. The 3322.org domain was registered in 2001 to Yaako Ltd., 1406, Yinyuan Building , 37 West Guanhe Road, Changzhou, China.



For more information on the Tulsa Computer Society click here



Tulsa Computer Society 7/01/2004
Don Singleton, President