Gone Phishing

I receive a number of spam emails per day (around 7 – 10), thankfully SpamAssasin flags nearly all (96%) of these messages, so I rarely have to see them. As I was expecting an email this morning I took a quick look at my Junk folder in Thunderbird, just to ensure that the email hadn't been marked as spam. There was no sign of it.

I quickly scanned the messages sitting in that isolated folder to see what type of crap was being filtered on a daily basis. Any Phishing attempts that I receive, I tend to attach to an email to the Anti-Phishing working group. But today I'm honoured I find the worst crafted Phishing email that I have seen in a long time.
It read as follows:

[blockquote]Subject: HSBC – WARNING
Date: Fri, 2 Nov 2007 13:20:35 -0400
From: HSBC

Dear valued Halifax® member: Due to concerns, for the safety and integrity of the Halifax
account we have issued this warning message.

It has come to our attention that your Halifax® account information needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website.

If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.

However, failure to update your records will result in account suspension.
Please update your records on or before janvier 16, 2007.

Once you have updated your account records your Halifax account service will not be interrupted and will continue as normal.
To update your Halifax® records click on the following link:
Thank You. Halifax® UPDATE TEAM[/blockquote]

First point, as any person of moderate intelligence can see, is the use of 1 company in the title and a different company in body of the message.

Secondly is the 'Dear valued Halifax member', firstly it would be customer and secondly since I'm a great 'member' how have they managed to forget my name? No attempt to butcher my email address for a name to use, very poor.

The hyperlink to update you records wasn't hidden or manipulated to appear like a correct address, nope, it just pointed at some page over at www.swindon-speedway.co.uk.

And in last place is the French word for January that's been so wonderfully added into the template.

3 thoughts on “Gone Phishing”

  1. Before emails hit Spamassassin our servers check them against a few RBLs as well, actually it seems about 9/10 of the emails that hit our servers are already blocked as they're on RBLs – the server this site is on blocks approximately 30,000 emails per hour and eventually IP bans the computer sending.

    After that, the emails are put through SpamAssassin which picks up yet more emails and bins them for you.

  2. Hi WT,

    I get these too, they are funny. They are getting better though, I got one a few months back from "Barclays" that was very good. Of course it has the tell tail signs to anyone who cares to look.

  3. Cheers for the comments both, it appears I had my alerting for comments turned off so I missed these when you posted.

    That good to know Tim, nice to see that there is more going on than I Could know about 🙂

    I think that people need to be shown the tell tail signs. As i posted over on Zdnet, there needs to be a multi-pronged approach:
    Serverside software (ie spamassasin)
    Client side (outlook, thunderbird) increased phishing notifications
    and increasing user knowledge

Comments are closed.