«

Lately I received a number (phishing) mails from a bank asking for
confirmation. In the message, there was a URL:

https://www1.royalbank.com/cgi-bin/r...ntSign&LANG=EN

However, when I moved my mouse pointer to the beginning on the URL, at
the bottom of the screen, it showed the following instead.

http://163.23.70.201/http/www1.royal...tSign&LANG=EN/

First of all, the link seems not using SSL (http instead of https).
Secondly, when I pinged 163.23.70.201, there was no response.

I hesitate to click on the https:// link.

Could someone help me understand what is it all about? Any info is
much appreciated.

A Monk

a_monk wrote:

> Lately I received a number (phishing) mails from a bank asking for
> confirmation. In the message, there was a URL:
>
> https://www1.royalbank.com/cgi-bin/r...ntSign&LANG=EN
>
> However, when I moved my mouse pointer to the beginning on the URL, at
> the bottom of the screen, it showed the following instead.
>
> http://163.23.70.201/http/www1.royal...tSign&LANG=EN/
>
> First of all, the link seems not using SSL (http instead of https).
> Secondly, when I pinged 163.23.70.201, there was no response.
>
> I hesitate to click on the https:// link.
>
> Could someone help me understand what is it all about? Any info is
> much appreciated.

<a
href="http://this.is/the/real/destination.php">http://can.claim/anything/about/the/link.html</a>

Your problem obviously is that you messed up your mail client to render
HTML content. Very very bad idea.

And since you're abusing MSIE as a webbrowser, I presume your mail client
in Outlook Express or Outlook. That means you'd be even worse off, since
there a various features^W unpatched vulnerabilities which allow the
attacker to fake the displayed URL. You're lucky that this attacker didn't
try.

From: "a_monk" <>

| Lately I received a number (phishing) mails from a bank asking for
| confirmation. In the message, there was a URL:
|
| https://www1.royalbank.com/cgi-bin/r...ntSign&LANG=EN
|
| However, when I moved my mouse pointer to the beginning on the URL, at
| the bottom of the screen, it showed the following instead.
|
| http://163.23.70.201/http/www1.royal...tSign&LANG=EN/
|
| First of all, the link seems not using SSL (http instead of https).
| Secondly, when I pinged 163.23.70.201, there was no response.
|
| I hesitate to click on the https:// link.
|
| Could someone help me understand what is it all about? Any info is
| much appreciated.
|
| A Monk

What part of Phishing don't you understand ?

The screen shows; https://www1.royalbank.com but the HTML really points to;
http://163.23.70.201

http://www.dnsstuff.com/tools/whois....0.201&email=on

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On Mar 15, 9:34 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "a_monk" <dfox...@hotmail.com>
>
> | Lately I received a number (phishing) mails from a bank asking for
> | confirmation. In the message, there was a URL:
> |
> |https://www1.royalbank.com/cgi-bin/r...=1&F21=IB&F22=...
> |
> | However, when I moved my mouse pointer to the beginning on the URL, at
> | the bottom of the screen, it showed the following instead.
> |
> |http://163.23.70.201/http/www1.royal...access/F21=IB&...
> |
> | First of all, the link seems not using SSL (http instead of https).
> | Secondly, when I pinged 163.23.70.201, there was no response.
> |
> | I hesitate to click on the https:// link.
> |
> | Could someone help me understand what is it all about? Any info is
> | much appreciated.
> |
> | A Monk
>
> What part of Phishing don't you understand ?
>
> The screen shows; https://www1.royalbank.com but the HTML really points to;http://163.23.70.201
>
> http://www.dnsstuff.com/tools/whois....0.201&email=on
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm

What would happen if I clicked on the link?

On Mar 15, 9:39 pm, "a_monk" <dfox...@hotmail.com> wrote:
> On Mar 15, 9:34 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
> wrote:
>
>
>
>
>
> > From: "a_monk" <dfox...@hotmail.com>
>
> > | Lately I received a number (phishing) mails from a bank asking for
> > | confirmation. In the message, there was a URL:
> > |
> > |https://www1.royalbank.com/cgi-bin/r...=1&F21=IB&F22=...
> > |
> > | However, when I moved my mouse pointer to the beginning on the URL, at
> > | the bottom of the screen, it showed the following instead.
> > |
> > |http://163.23.70.201/http/www1.royal...access/F21=IB&...
> > |
> > | First of all, the link seems not using SSL (http instead of https).
> > | Secondly, when I pinged 163.23.70.201, there was no response.
> > |
> > | I hesitate to click on the https:// link.
> > |
> > | Could someone help me understand what is it all about? Any info is
> > | much appreciated.
> > |
> > | A Monk
>
> > What part of Phishing don't you understand ?
>
> > The screen shows; https://www1.royalbank.combut the HTML really points to;http://163.23.70.201
>
> >http://www.dnsstuff.com/tools/whois....0.201&email=on
>
> > --
> > Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.c...
>
> What would happen if I clicked on the link?- Hide quoted text -
>
> - Show quoted text -

Where could one report this crime?

From: "a_monk" <>


|
| Where could one report this crime?

http://www.antiphishing.org/report_phishing.html

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

In
Message-ID:< ups.com>,
"a_monk" <> wrote:

>Lately I received a number (phishing) mails from a bank asking for
>confirmation. In the message, there was a URL:
<snip>
>However, when I moved my mouse pointer to the beginning on the URL, at
>the bottom of the screen, it showed the following instead.
<snip>
>Could someone help me understand what is it all about? Any info is
>much appreciated.

This is standard HTML used for nefarious purposes.

I'll show an example, using parens instead of angle brackets
(in case you have a newsreader that renders HTML).

(a href="http://ACTUAL.URL")WHAT TO DISPLAY(/a)

In the above, an HTML-knowledgeable reader will show "WHAT TO
DISPLAY", but if you click on it, it'll take you to
"http://ACTUAL.URL". If "WHAT TO DISPLAY" *looks* like a URL,
it'll cause the confusion you experienced.

--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a z/OS (IBM mainframe) systems programmer position

On 15 Mar 2007 17:43:50 -0700, "a_monk" <> wrote:

>Lately I received a number (phishing) mails from a bank

Then either delete them and move on or report them to
the bank.
--
Jim Watt
http://www.gibnet.com