|
|
|
|
03-16-2007, 12:43 AM
|
#1 |
How to interpret this?!
Lately I received a number (phishing) mails from a bank asking for
confirmation. In the message, there was a URL: https://www1.royalbank.com/cgi-bin/r...ntSign&LANG=EN However, when I moved my mouse pointer to the beginning on the URL, at the bottom of the screen, it showed the following instead. http://163.23.70.201/http/www1.royal...tSign&LANG=EN/ First of all, the link seems not using SSL (http instead of https). Secondly, when I pinged 163.23.70.201, there was no response. I hesitate to click on the https:// link. Could someone help me understand what is it all about? Any info is much appreciated. A Monk a_monk |
|
|
|
03-16-2007, 01:21 AM
|
#2 |
|
Posts: n/a
|
Re: How to interpret this?!
a_monk wrote:
> Lately I received a number (phishing) mails from a bank asking for > confirmation. In the message, there was a URL: > > https://www1.royalbank.com/cgi-bin/r...ntSign&LANG=EN > > However, when I moved my mouse pointer to the beginning on the URL, at > the bottom of the screen, it showed the following instead. > > http://163.23.70.201/http/www1.royal...tSign&LANG=EN/ > > First of all, the link seems not using SSL (http instead of https). > Secondly, when I pinged 163.23.70.201, there was no response. > > I hesitate to click on the https:// link. > > Could someone help me understand what is it all about? Any info is > much appreciated. <a href="http://this.is/the/real/destination.php">http://can.claim/anything/about/the/link.html</a> Your problem obviously is that you messed up your mail client to render HTML content. Very very bad idea. And since you're abusing MSIE as a webbrowser, I presume your mail client in Outlook Express or Outlook. That means you'd be even worse off, since there a various features^W unpatched vulnerabilities which allow the attacker to fake the displayed URL. You're lucky that this attacker didn't try. Sebastian Gottschalk |
|
|
|
03-16-2007, 01:34 AM
|
#3 |
|
Posts: n/a
|
Re: How to interpret this?!
From: "a_monk" <>
| Lately I received a number (phishing) mails from a bank asking for | confirmation. In the message, there was a URL: | | https://www1.royalbank.com/cgi-bin/r...ntSign&LANG=EN | | However, when I moved my mouse pointer to the beginning on the URL, at | the bottom of the screen, it showed the following instead. | | http://163.23.70.201/http/www1.royal...tSign&LANG=EN/ | | First of all, the link seems not using SSL (http instead of https). | Secondly, when I pinged 163.23.70.201, there was no response. | | I hesitate to click on the https:// link. | | Could someone help me understand what is it all about? Any info is | much appreciated. | | A Monk What part of Phishing don't you understand ? The screen shows; https://www1.royalbank.com but the HTML really points to; http://163.23.70.201 http://www.dnsstuff.com/tools/whois....0.201&email=on -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm David H. Lipman |
|
|
|
03-16-2007, 01:39 AM
|
#4 |
|
Posts: n/a
|
Re: How to interpret this?!
On Mar 15, 9:34 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote: > From: "a_monk" <dfox...@hotmail.com> > > | Lately I received a number (phishing) mails from a bank asking for > | confirmation. In the message, there was a URL: > | > |https://www1.royalbank.com/cgi-bin/r...=1&F21=IB&F22=... > | > | However, when I moved my mouse pointer to the beginning on the URL, at > | the bottom of the screen, it showed the following instead. > | > |http://163.23.70.201/http/www1.royal...access/F21=IB&... > | > | First of all, the link seems not using SSL (http instead of https). > | Secondly, when I pinged 163.23.70.201, there was no response. > | > | I hesitate to click on the https:// link. > | > | Could someone help me understand what is it all about? Any info is > | much appreciated. > | > | A Monk > > What part of Phishing don't you understand ? > > The screen shows; https://www1.royalbank.com but the HTML really points to;http://163.23.70.201 > > http://www.dnsstuff.com/tools/whois....0.201&email=on > > -- > Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm What would happen if I clicked on the link? a_monk |
|
|
|
03-16-2007, 01:44 AM
|
#5 |
|
Posts: n/a
|
Re: How to interpret this?!
On Mar 15, 9:39 pm, "a_monk" <dfox...@hotmail.com> wrote:
> On Mar 15, 9:34 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net> > wrote: > > > > > > > From: "a_monk" <dfox...@hotmail.com> > > > | Lately I received a number (phishing) mails from a bank asking for > > | confirmation. In the message, there was a URL: > > | > > |https://www1.royalbank.com/cgi-bin/r...=1&F21=IB&F22=... > > | > > | However, when I moved my mouse pointer to the beginning on the URL, at > > | the bottom of the screen, it showed the following instead. > > | > > |http://163.23.70.201/http/www1.royal...access/F21=IB&... > > | > > | First of all, the link seems not using SSL (http instead of https). > > | Secondly, when I pinged 163.23.70.201, there was no response. > > | > > | I hesitate to click on the https:// link. > > | > > | Could someone help me understand what is it all about? Any info is > > | much appreciated. > > | > > | A Monk > > > What part of Phishing don't you understand ? > > > The screen shows; https://www1.royalbank.combut the HTML really points to;http://163.23.70.201 > > >http://www.dnsstuff.com/tools/whois....0.201&email=on > > > -- > > Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.c... > > What would happen if I clicked on the link?- Hide quoted text - > > - Show quoted text - Where could one report this crime? a_monk |
|
|
|
03-16-2007, 02:07 AM
|
#6 |
|
Posts: n/a
|
Re: How to interpret this?!
From: "a_monk" <>
| | Where could one report this crime? http://www.antiphishing.org/report_phishing.html -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm David H. Lipman |
|
|
|
03-16-2007, 03:03 AM
|
#7 |
|
Posts: n/a
|
Re: How to interpret this?!
In
Message-ID:< ups.com>, "a_monk" <> wrote: >Lately I received a number (phishing) mails from a bank asking for >confirmation. In the message, there was a URL: <snip> >However, when I moved my mouse pointer to the beginning on the URL, at >the bottom of the screen, it showed the following instead. <snip> >Could someone help me understand what is it all about? Any info is >much appreciated. This is standard HTML used for nefarious purposes. I'll show an example, using parens instead of angle brackets (in case you have a newsreader that renders HTML). (a href="http://ACTUAL.URL")WHAT TO DISPLAY(/a) In the above, an HTML-knowledgeable reader will show "WHAT TO DISPLAY", but if you click on it, it'll take you to "http://ACTUAL.URL". If "WHAT TO DISPLAY" *looks* like a URL, it'll cause the confusion you experienced. -- Arthur T. - ar23hur "at" intergate "dot" com Looking for a z/OS (IBM mainframe) systems programmer position Arthur T. |
|
|
|
03-16-2007, 08:40 AM
|
#8 |
|
Posts: n/a
|
Re: How to interpret this?!
On 15 Mar 2007 17:43:50 -0700, "a_monk" <> wrote:
>Lately I received a number (phishing) mails from a bank Then either delete them and move on or report them to the bank. -- Jim Watt http://www.gibnet.com Jim Watt |
|
|
