Am I infected (Wachovia Alerts)?

Discussion in 'Computer Support' started by Flycaster, Aug 27, 2006.

  1. Flycaster

    Flycaster Guest

    I use Wachovia banking services. I received this apparent phishing
    email. Inadvertently, I clicked on the "Learn and Activate Layerkey
    Security" link. When the link opened in my browser (Maxthon), I didn't
    not activate Active-X, nor did I make any entries on the website. My
    question is: Has a keylogger spy been dropped into my computer (XP with
    all security updates, ZoneAlarm Free, AVG Free, Spywareblaster, Windows
    Defender, Windows Malicious Software Remover, Adaware SE, Spybot)? All
    security programs are updated daily. I ran all of them after I realized
    my mistake and none have detected anything suspicious. Furthermore, I
    ran Panda and Trend anti-virus free internet scans with nothing showing
    up. If there is a keylogger still present on my computer, I'd like to
    know its name and how to find it to get rid of it.

    The copy of the email below doesn't show it, but the logo looks real and
    from "Contact us" to "ONLINE SECURITY NOTIFICATION" are all links.


    -------- Original Message --------
    Subject: Activate Security Alert for Account Protection
    Date: Sun, 20 Aug 2006 10:13:20 +0200
    From: Wachovia Alerts <>
    To:



    Home
    Wachovia logo



    Contact Us
    24 hours a day
    seven days a week
    Wachovia Help Center

    Related Links
    Online Services Center
    ONLINE SECURITY NOTIFICATION

    Thank you for banking online at wachovia.com. We are constantly working
    to increase security for our customers. Now we upgrade our security to
    protect and identify in accessing online banking. The LayerKey is New
    Wachovia Online Banking Security and free. It is important to recognize
    your access and transaction through Wachovia Online Banking. You are
    recommended to set up the upgrade security into your online banking.
    Please follow the link below to introduce you how the security is working.
    Learn and Activate LayerKey Security

    We hope you continue to enjoy the convenience and ease of using Wachovia
    Online Banking. To respond to this Alert, send a Secure Message by
    logging in at wachovia.com and selecting "Send Message". Please do not
    "Reply" to this message.

    To change or cancel this service, log in to wachovia.com and select
    "Alert Summary" in in the Alerts section.

    Thank you for subscribing to Wachovia Alerts.


    © 2006 Wachovia Corporation, 301 South College Street, Suite 4000, One
    Wachovia Center, Charlotte, NC 28288-0013. All Rights Reserved.

    Wachovia Bank, N.A. Member FDIC


    Inside Wachovia | Privacy | Security | Legal | Merger
    --
    To email, erase "forgetit"
     
    Flycaster, Aug 27, 2006
    #1
    1. Advertising

  2. Flycaster

    Flycaster Guest

    A similar email

    This site comments and shows a similar email:

    http://www.millersmiles.co.uk/report/3241


    Flycaster wrote:
    > I use Wachovia banking services. I received this apparent phishing
    > email. Inadvertently, I clicked on the "Learn and Activate Layerkey
    > Security" link. When the link opened in my browser (Maxthon), I didn't
    > not activate Active-X, nor did I make any entries on the website. My
    > question is: Has a keylogger spy been dropped into my computer (XP with
    > all security updates, ZoneAlarm Free, AVG Free, Spywareblaster, Windows
    > Defender, Windows Malicious Software Remover, Adaware SE, Spybot)? All
    > security programs are updated daily. I ran all of them after I realized
    > my mistake and none have detected anything suspicious. Furthermore, I
    > ran Panda and Trend anti-virus free internet scans with nothing showing
    > up. If there is a keylogger still present on my computer, I'd like to
    > know its name and how to find it to get rid of it.
    >
    > The copy of the email below doesn't show it, but the logo looks real and
    > from "Contact us" to "ONLINE SECURITY NOTIFICATION" are all links.
    >
    >
    > -------- Original Message --------
    > Subject: Activate Security Alert for Account Protection
    > Date: Sun, 20 Aug 2006 10:13:20 +0200
    > From: Wachovia Alerts <>
    > To:
    >
    >
    >
    > Home
    > Wachovia logo
    >
    >
    >
    > Contact Us
    > 24 hours a day
    > seven days a week
    > Wachovia Help Center
    >
    > Related Links
    > Online Services Center
    > ONLINE SECURITY NOTIFICATION
    >
    > Thank you for banking online at wachovia.com. We are constantly working
    > to increase security for our customers. Now we upgrade our security to
    > protect and identify in accessing online banking. The LayerKey is New
    > Wachovia Online Banking Security and free. It is important to recognize
    > your access and transaction through Wachovia Online Banking. You are
    > recommended to set up the upgrade security into your online banking.
    > Please follow the link below to introduce you how the security is working.
    > Learn and Activate LayerKey Security
    >
    > We hope you continue to enjoy the convenience and ease of using Wachovia
    > Online Banking. To respond to this Alert, send a Secure Message by
    > logging in at wachovia.com and selecting "Send Message". Please do not
    > "Reply" to this message.
    >
    > To change or cancel this service, log in to wachovia.com and select
    > "Alert Summary" in in the Alerts section.
    >
    > Thank you for subscribing to Wachovia Alerts.
    >
    >
    > © 2006 Wachovia Corporation, 301 South College Street, Suite 4000, One
    > Wachovia Center, Charlotte, NC 28288-0013. All Rights Reserved.
    >
    > Wachovia Bank, N.A. Member FDIC
    >
    >
    > Inside Wachovia | Privacy | Security | Legal | Merger



    --
    To email, erase "forgetit"
     
    Flycaster, Aug 27, 2006
    #2
    1. Advertising

  3. Flycaster wrote:

    > I use Wachovia banking services. I received this apparent phishing
    > email. Inadvertently, I clicked on the "Learn and Activate Layerkey
    > Security" link.


    ...which you did not include (the actual URL). Seeing it would be a great
    help in answering your question.

    <snip>
    > The copy of the email below doesn't show it, but the logo looks real and
    > from "Contact us" to "ONLINE SECURITY NOTIFICATION" are all links.
    >
    > -------- Original Message --------
    > Subject: Activate Security Alert for Account Protection
    > Date: Sun, 20 Aug 2006 10:13:20 +0200
    > From: Wachovia Alerts <>
    > To:


    The full headers would also probably help.

    > Home
    > Wachovia logo <--- easily spoofed
    >
    >
    >
    > Contact Us
    > 24 hours a day
    > seven days a week
    > Wachovia Help Center
    >
    > Related Links
    > Online Services Center
    > ONLINE SECURITY NOTIFICATION
    >
    > Thank you for banking online at wachovia.com. We are constantly working
    > to increase security for our customers. Now we upgrade our security to
    > protect and identify in accessing online banking. The LayerKey is New
    > Wachovia Online Banking Security and free. It is important to recognize
    > your access and transaction through Wachovia Online Banking. You are
    > recommended to set up the upgrade security into your online banking.
    > Please follow the link below to introduce you how the security is working.
    > Learn and Activate LayerKey Security


    Apparently this is the text version of the email. Look in the HTML
    version (by viewing source) to see what the link *really* is.

    > We hope you continue to enjoy the convenience and ease of using Wachovia
    > Online Banking. To respond to this Alert, send a Secure Message by
    > logging in at wachovia.com and selecting "Send Message". Please do not
    > "Reply" to this message.


    While this requests you log in to their site to respond, we still can't
    tell without seeing the actual source of the email.

    <snip rest>

    --
    -bts
    -Motorcycles defy gravity; cars just suck.
     
    Beauregard T. Shagnasty, Aug 27, 2006
    #3
  4. Flycaster

    Flycaster Guest

    Here's the actual link to "Learn and Activate LayerKey Security." This
    is the link that I opened in Maxthon, but didn't activate Active-X, nor
    did I make any entries. Can you tell if this was enough to place a
    keylogger onto my computer? Wachovia said that it was, but I'm not so
    sure. I'll be talking to their IT people on Monday (I hope), but would
    like to clear this up asap.

    http://wachoviaonline.notlong.com/a....com/NASApp/NavApp/Titanium?action=returnHome


    Beauregard T. Shagnasty wrote:
    > Flycaster wrote:
    >
    >> I use Wachovia banking services. I received this apparent phishing
    >> email. Inadvertently, I clicked on the "Learn and Activate Layerkey
    >> Security" link.

    >
    > ..which you did not include (the actual URL). Seeing it would be a great
    > help in answering your question.
    >
    > <snip>
    >> The copy of the email below doesn't show it, but the logo looks real and
    >> from "Contact us" to "ONLINE SECURITY NOTIFICATION" are all links.
    >>
    >> -------- Original Message --------
    >> Subject: Activate Security Alert for Account Protection
    >> Date: Sun, 20 Aug 2006 10:13:20 +0200
    >> From: Wachovia Alerts <>
    >> To:

    >
    > The full headers would also probably help.
    >
    >> Home
    >> Wachovia logo <--- easily spoofed
    >>
    >>
    >>
    >> Contact Us
    >> 24 hours a day
    >> seven days a week
    >> Wachovia Help Center
    >>
    >> Related Links
    >> Online Services Center
    >> ONLINE SECURITY NOTIFICATION
    >>
    >> Thank you for banking online at wachovia.com. We are constantly working
    >> to increase security for our customers. Now we upgrade our security to
    >> protect and identify in accessing online banking. The LayerKey is New
    >> Wachovia Online Banking Security and free. It is important to recognize
    >> your access and transaction through Wachovia Online Banking. You are
    >> recommended to set up the upgrade security into your online banking.
    >> Please follow the link below to introduce you how the security is working.
    >> Learn and Activate LayerKey Security

    >
    > Apparently this is the text version of the email. Look in the HTML
    > version (by viewing source) to see what the link *really* is.
    >
    >> We hope you continue to enjoy the convenience and ease of using Wachovia
    >> Online Banking. To respond to this Alert, send a Secure Message by
    >> logging in at wachovia.com and selecting "Send Message". Please do not
    >> "Reply" to this message.

    >
    > While this requests you log in to their site to respond, we still can't
    > tell without seeing the actual source of the email.
    >
    > <snip rest>
    >



    --
    To email, erase "forgetit"
     
    Flycaster, Aug 27, 2006
    #4
  5. Flycaster

    Mike Easter Guest

    Flycaster wrote:
    User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)

    Your newsagent is Tbird, presumably your mailuseragent mua is too.

    > I received this apparent phishing
    > email.


    But you are showing us the rendered html. That isn't useful for
    accessing the page which is in the link which renders as 'Learn and
    Activate LayerKey Security'. Whenever we are discussing spam/phish the
    important elements are generally the complete headers and the unrendered
    or raw spambody, which actually shouldn't be displayed in a newsgroup
    like this.

    For discussing spam/phish it is better to display the raw spam elsewhere
    and make a link to it and discuss it in a discussion group like this or
    some other. Raw spam can be displayed in the newsgroup
    news.admin.net-abuse.sightings, the guidelines for posting are here
    http://www.killfile.org/~tskirvin/faqs/nanas.html NANAS FAQ

    There are other methods, posting it on a website in raw form,
    registering to be a spamcop reporter and feeding it to the parser and
    copying the parser's tracking url.

    What you would post in one of those places is accessed in Tbird by using
    its ctrl-U function which is View menu/ Message source item.

    > Inadvertently, I clicked on the "Learn and Activate Layerkey
    > Security" link.


    You shouldn't be getting spam/phish in your Inbox with goodmail in the
    first place. You shouldn't be opening spam/phish in the 2nd place. You
    shouldn't be clicking on spamphish links in the 3rd place. If your mail
    management were being handled correctly, this would never have happened
    'inadvertently' or otherwise.

    > When the link opened in my browser (Maxthon), I
    > didn't not activate Active-X, nor did I make any entries on the
    > website.


    Depending upon your insecurities, there are sometimes problems which
    begin when you open the mail before you start clicking on bad things.

    > My question is: Has a keylogger spy been dropped into my
    > computer


    Probably not, but that is impossible to tell from here.

    > scans with nothing showing up. If there is a keylogger
    > still present on my computer, I'd like to know its name and how to
    > find it to get rid of it.


    Of course you would.

    > The copy of the email below doesn't show it,


    The rendered html is useless for this discussion except to show what was
    seen when rendered, which is just the phishing words.


    --
    Mike Easter
     
    Mike Easter, Aug 27, 2006
    #5
  6. Flycaster wrote:

    > Here's the actual link to "Learn and Activate LayerKey Security." ..
    >
    > hxxp://wachoviaonline.notlong.com/


    See? There is your answer. notlong.com ? <har!>

    Oh, I just saw your other post. Don't change the subject line; it makes
    it appear as a new thread, unrelated to this one.

    --
    -bts
    -Motorcycles defy gravity; cars just suck.
     
    Beauregard T. Shagnasty, Aug 27, 2006
    #6
  7. Flycaster

    Mike Easter Guest

    Flycaster wrote:
    > Here's the actual link to "Learn and Activate LayerKey Security."
    > This is the link that I opened in Maxthon, but didn't activate
    > Active-X, nor did I make any entries. Can you tell if this was
    > enough to place a keylogger onto my computer? Wachovia said that it
    > was, but I'm not so sure. I'll be talking to their IT people on
    > Monday (I hope), but would like to clear this up asap.
    >
    >

    http://wachoviaonline.notlong.com/a....com/NASApp/NavApp/Titanium?action=returnHome

    That link is now redirecting to
    http://www.r2convergence.com/websit....com/NASApp/NavApp/Titanium?action=returnHome
    ....

    wachoviaonline.notlong.com is 206.111.205.169 and getting its
    nameservice from
    ns.level22.com A (Address) 206.111.205.169

    The webserver at that IP is handling 28 other domainnames [more or
    less], one of which is level22.com

    and the domain registration for both at dotster is concealed by the same
    privacy service information.

    I can't see what was going on at the webpage that you accessed with your
    browser then now


    --
    Mike Easter
     
    Mike Easter, Aug 27, 2006
    #7
  8. Flycaster

    Flycaster Guest

    I do appreciate your efforts in trying to help me, but you are obviously
    much more advanced than I can quite comprehend. Do you think that you
    could dummy things down a bit and guide me as to what I should do in a
    more simplified manner?

    Mike Easter wrote:
    > Flycaster wrote:
    > User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
    >
    > Your newsagent is Tbird, presumably your mailuseragent mua is too.
    >
    >> I received this apparent phishing
    >> email.

    >
    > But you are showing us the rendered html. That isn't useful for
    > accessing the page which is in the link which renders as 'Learn and
    > Activate LayerKey Security'. Whenever we are discussing spam/phish the
    > important elements are generally the complete headers and the unrendered
    > or raw spambody, which actually shouldn't be displayed in a newsgroup
    > like this.
    >
    > For discussing spam/phish it is better to display the raw spam elsewhere
    > and make a link to it and discuss it in a discussion group like this or
    > some other. Raw spam can be displayed in the newsgroup
    > news.admin.net-abuse.sightings, the guidelines for posting are here
    > http://www.killfile.org/~tskirvin/faqs/nanas.html NANAS FAQ
    >
    > There are other methods, posting it on a website in raw form,
    > registering to be a spamcop reporter and feeding it to the parser and
    > copying the parser's tracking url.
    >
    > What you would post in one of those places is accessed in Tbird by using
    > its ctrl-U function which is View menu/ Message source item.
    >
    >> Inadvertently, I clicked on the "Learn and Activate Layerkey
    >> Security" link.

    >
    > You shouldn't be getting spam/phish in your Inbox with goodmail in the
    > first place. You shouldn't be opening spam/phish in the 2nd place. You
    > shouldn't be clicking on spamphish links in the 3rd place. If your mail
    > management were being handled correctly, this would never have happened
    > 'inadvertently' or otherwise.
    >
    >> When the link opened in my browser (Maxthon), I
    >> didn't not activate Active-X, nor did I make any entries on the
    >> website.

    >
    > Depending upon your insecurities, there are sometimes problems which
    > begin when you open the mail before you start clicking on bad things.
    >
    >> My question is: Has a keylogger spy been dropped into my
    >> computer

    >
    > Probably not, but that is impossible to tell from here.
    >
    >> scans with nothing showing up. If there is a keylogger
    >> still present on my computer, I'd like to know its name and how to
    >> find it to get rid of it.

    >
    > Of course you would.
    >
    >> The copy of the email below doesn't show it,

    >
    > The rendered html is useless for this discussion except to show what was
    > seen when rendered, which is just the phishing words.
    >
    >



    --
    To email, erase "forgetit"
     
    Flycaster, Aug 27, 2006
    #8
  9. Flycaster

    Mike Easter Guest

    Flycaster wrote:
    > I do appreciate your efforts in trying to help me, but you are
    > obviously much more advanced than I can quite comprehend. Do you
    > think that you could dummy things down a bit and guide me as to what
    > I should do in a more simplified manner?


    To show/see a spam source use ctrl-U in Tbird - that gives complete
    headers and unrendered html.

    Don't post complete raw html spam in this ng, post it in sightings
    according to this faq http://www.killfile.org/~tskirvin/faqs/nanas.html
    and then we can see the whole thing if you give an access like a message
    id. In this case you have already posted the important info for your
    question, namely the link in its unrendered condition.

    Configure your system so that such spam/phish doesn't get into your
    Inbox in the first place so that you won't see it or handle it without
    already knowing that it is spam. A good spamfilter tagger is SpamPal at
    http://spampal.org SpamPal is a mail classification program that can
    help separate your spam from the mail you really want to read.

    Another issue is how to carry on a conversation in a ng by attributing,
    citing, trimming, and contextualizing
    http://members.fortunecity.com/nnqweb/nquote.html Quoting Style in
    Newsgroup Postings

    And, if you read the links I post, they will explain things in more
    detail. You need more detail not less. That way you can smart up
    instead of dumbing something down.


    --
    Mike Easter
     
    Mike Easter, Aug 27, 2006
    #9
  10. Flycaster

    Meat Plow Guest

    On Sun, 27 Aug 2006 10:59:28 -0700, Mike Easter Has Frothed:

    > Flycaster wrote:
    >> I do appreciate your efforts in trying to help me, but you are obviously
    >> much more advanced than I can quite comprehend. Do you think that you
    >> could dummy things down a bit and guide me as to what I should do in a
    >> more simplified manner?

    >
    > To show/see a spam source use ctrl-U in Tbird - that gives complete
    > headers and unrendered html.
    >
    > Don't post complete raw html spam in this ng, post it in sightings
    > according to this faq http://www.killfile.org/~tskirvin/faqs/nanas.html
    > and then we can see the whole thing if you give an access like a message
    > id. In this case you have already posted the important info for your
    > question, namely the link in its unrendered condition.
    >
    > Configure your system so that such spam/phish doesn't get into your Inbox
    > in the first place so that you won't see it or handle it without already
    > knowing that it is spam. A good spamfilter tagger is SpamPal at
    > http://spampal.org SpamPal is a mail classification program that can help
    > separate your spam from the mail you really want to read.
    >
    > Another issue is how to carry on a conversation in a ng by attributing,
    > citing, trimming, and contextualizing
    > http://members.fortunecity.com/nnqweb/nquote.html Quoting Style in
    > Newsgroup Postings
    >
    > And, if you read the links I post, they will explain things in more
    > detail. You need more detail not less. That way you can smart up instead
    > of dumbing something down.


    You know what, go **** yourself you condescending prick. I thought the OP
    did just fine. It's you who needs to smart up as you put it.

    --

    Pierre Salinger Memorial Hook, Line & Sinker, June 2004
     
    Meat Plow, Aug 28, 2006
    #10
  11. Flycaster

    Flycaster Guest

    Mike Easter wrote:
    > Flycaster wrote:
    >> I do appreciate your efforts in trying to help me, but you are
    >> obviously much more advanced than I can quite comprehend. Do you
    >> think that you could dummy things down a bit and guide me as to what
    >> I should do in a more simplified manner?

    >
    > To show/see a spam source use ctrl-U in Tbird - that gives complete
    > headers and unrendered html.


    OK, here is my Control-U results. Does it help get us to finding out if
    I installed a virus?

    From - Sun Aug 20 07:30:39 2006
    X-Account-Key: account3
    X-UIDL: <4you.de>
    X-Mozilla-Status: 1001
    X-Mozilla-Status2: 00000000
    Return-Path: <4you.de>
    Received: from edge3.adelphia.net ([85.25.9.41]) by mta7.adelphia.net
    (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP
    id
    <>
    for <>; Sun, 20 Aug 2006 05:03:15 -0400
    Received: from hotel227.server4you.de ([85.25.9.41]) by edge3.adelphia.net
    (InterMail vG.2.00.00.02 201-2161-108-103-20050713) with ESMTP
    id
    <4you.de>
    for <>; Sun, 20 Aug 2006 03:03:36 -0400
    Received: from hotel227.server4you.de (localhost [127.0.0.1])
    by hotel227.server4you.de (8.13.1/8.13.1/SuSE Linux 0.7) with ESMTP id
    k7K8DKFR005820
    for <>; Sun, 20 Aug 2006 10:13:20 +0200
    Received: (from wwwrun@localhost)
    by hotel227.server4you.de (8.13.1/8.13.1/Submit) id k7K8DKDN005819;
    Sun, 20 Aug 2006 10:13:20 +0200
    Date: Sun, 20 Aug 2006 10:13:20 +0200
    Message-Id: <4you.de>
    To:
    Subject: Activate Security Alert for Account Protection
    From: Wachovia Alerts <>
    Reply-To:
    MIME-Version: 1.0
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit
    X-Antivirus: AVG for E-mail 7.1.405 [268.11.3/423]




    <div id=yiv1966345888><!doctype html public "-//W3C//DTD HTML 4.0
    Transitional//EN">
    <html>
    <head>
    <title>ONLINE SECURITY UPGRADE NOTIFICATION</title>
    </head>

    <xbodybgcolor="#FFFFFF">
    <table width="627" cellpadding="0" cellspacing="0" border="0">
    <tr>
    <td valign="top" width="264">
    <table cellpadding="0" cellspacing="0" border="0">
    <tr>
    <td></td>
    </tr>
    </table>
    </td>
    <td width="363" valign="bottom" align="RIGHT" colspan="2"><a
    target="_blank" rel="nofollow" _ href="http://www.wachovia.com/home"
    ><font face="arial,helvetica,sans-serif" size="-2"

    color="#000000">Home</font></a> <font face="arial,helvetica,sans-serif"
    size="-2" color="#000000"></td>
    </tr>
    <tr>
    <td valign="top" width="237"><img width="237" height="41"
    src="http://www.wachovia.com/file/logo.gif" alt="Wachovia logo"></td>
    <td valign="bottom" width="176"><img width="176" height="41"
    src="http://www.wachovia.com/file/pulse_middletop.gif" ></td>
    <td valign="bottom" width="214"><img width="214" height="41"
    src="http://www.wachovia.com/file/pulse_rightbar.gif" ></td>
    </tr>
    <tr>
    <td valign="top" width="237"><img width="237" height="36"
    src="http://www.wachovia.com/file/pulse_bottombar.gif" ></td>
    <td valign="top" width="390" colspan="2">
    <img src="http://www.wachovia.com/file/pulse_bottombar2.gif"
    width="106" height="26" ></td>
    </tr>
    <tr>
    <td colspan="3"><br>

    <table width="180" align="right" cellpadding="0" cellspacing="0"
    border="0">
    <tr>
    <td colspan="2" width="180"><img
    src="http://www.wachovia.com/file/right_rail_grid.jpg" width="180"
    height="1"></td>
    </tr>
    <tr>
    <td width="8"><img
    src="http://www.wachovia.com/file/right_rail_grid.jpg" height="100"
    width="1"></td>
    <td valign="top" width="172">
    <table border="0" cellpadding="0" cellspacing="7">
    <tr>
    <td><font style="font-family:Arial, Helvetica,
    sans-serif;font-size:11px;"><b>Contact Us</b></font><br><font
    style="font-family:Arial, Helvetica, sans-serif;font-size:11px;">24
    hours a day<br>seven days a week<br></font>
    <span style="font-family: Arial,
    Helvetica, sans-serif; font-size: 11px">
    <a href="http://wachovia.com/helpcenter/">
    Wachovia Help
    Center</a>&nbsp;&nbsp;&nbsp;&nbsp;
    </span></td>
    </tr>
    </table>
    </td>
    </tr>
    <tr>
    <td colspan="2" width="180"><img
    src="http://www.wachovia.com/file/right_rail_grid.jpg" width="180"
    height="1"></td>
    </tr>
    <tr>
    <td width="8"><img
    src="http://www.wachovia.com/file/right_rail_grid.jpg" height="80"
    width="1"></td>
    <td valign="top" width="172">
    <table border="0" cellpadding="0" cellspacing="7">
    <tr>
    <td valign="top">
    <font style="font-family:Arial, Helvetica,
    sans-serif;font-size:11px;"><b>Related Links</b></font><br>
    <font style="font-family:Arial, Helvetica,
    sans-serif;font-size:11px;"><a target="_blank" rel="nofollow" _
    href="http://www.wachovia.com/onlineservicescenter" >Online Services
    Center</a></font><br>
    </td>
    </tr>
    </table>
    </td>
    </tr>
    </table>


    <table border="0" cellpadding="0" cellspacing="0" width="415">
    <tr>
    <td width="415" valign="baseline"><font face="Times New
    Roman"><font
    style="font-family:New;font-size:23px;font-weight:bolder;letter-spacing:-1px;"><b>
    O</b></font><font
    style="font-family:New;font-size:19px;font-weight:bold;letter-spacing:-1px;">NLINE</font>&nbsp;<b><font
    style="font-family:New;font-size:23px;font-weight:bolder;letter-spacing:-1px;">S</font><font
    style="font-family:New;font-size:19px;font-weight:bolder;letter-spacing:-1px">E</font><font
    style="font-family:New;font-size:19px;letter-spacing:-1px">CURITY
    </font><font
    style="font-family:New;font-size:23px;font-weight:bolder;letter-spacing:-1px;">
    N</font><font
    style="font-family:New;font-size:19px;letter-spacing:-1px">OTIFICATION&nbsp;
    </font></b></td>
    </tr>
    <tr>
    <td valign="top"><img
    src="http://www.wachovia.com/file/header_line.jpg" width="415"
    height="1"></td>
    </tr>

    <tr>
    <td width="415">

    <table border="0" cellspacing="3" width="415">
    <tr>
    <td><font style="font-family:Arial, Helvetica,
    sans-serif;font-size:11px;">
    <p>
    <font style="FONT-SIZE: 11px;
    FONT-FAMILY: Arial">
    Thank you for banking online at
    wachovia.com. We
    are constantly working to increase
    security for
    our customers. Now we upgrade our
    security to
    protect and identify in accessing online
    banking. The LayerKey is New Wachovia
    Online Banking Security and free. It is important to
    recognize your access and transaction
    through
    Wachovia Online Banking. You are
    recommended to
    set up the upgrade security into your
    online
    banking. </font>
    <font style="font-size: 11px;
    font-family: Arial">&nbsp;Please
    follow the link below to introduce you
    how the
    security is working.</font></p>

    <table border="0" cellspacing="3" width="415">
    <tr>
    <td align="CENTER">
    <span style="font-size: 8.5pt">
    <a
    href="http://wachoviaonline.notlong.com/auth/AuthService?action=presentLogin&url=https://onlineservices.wachovia.com/NASApp/NavApp/Titanium?action=returnHome">
    Learn and Activate LayerKey
    Security</a></span>
    <br>
    </td>
    </tr>
    </table>
    <p>
    <font style="font-size: 11px;
    font-family: Arial">
    We hope you continue to enjoy the
    convenience
    and ease of using Wachovia Online Banking.
    </font>To respond to this Alert, send a
    Secure Message by logging in at <b>wachovia.com</b> and selecting
    &quot;Send Message&quot;. Please do not &quot;Reply&quot; to this
    message.</p>
    <p>To change or cancel this service, log in to
    <b>wachovia.com</b> and select &quot;Alert Summary&quot; in in the
    Alerts section.</p>
    <p>Thank you for subscribing to Wachovia Alerts.</p>
    </font>
    <p><font style="font-family:Arial, Helvetica,
    sans-serif;font-size:10px;">
    <br>
    </p>
    <p>&copy; 2006 Wachovia Corporation, 301 South College Street,
    Suite 4000, One Wachovia Center, Charlotte, NC 28288-0013. All Rights
    Reserved.</p>
    <p>Wachovia Bank, N.A. Member FDIC</p>
    </font>

    </td>
    </tr>
    </table>

    </td>
    </tr>
    </table>
    </td>
    </tr>
    <tr>
    <td valign="top" width="237"><table><tr><td>&nbsp;</td></tr></table></td>
    <td valign="bottom" width="176"><img width="176" height="41"
    src="http://www.wachovia.com/file/pulse_middletop.gif" ></td>
    <td valign="bottom" width="214"><img width="214" height="41"
    src="http://www.wachovia.com/file/pulse_rightbar.gif" ></td>
    </tr>
    <tr>
    <td valign="top" width="237"><img width="237" height="36"
    src="http://www.wachovia.com/file/pulse_bottombar.gif" ></td>
    <td valign="top" width="390" colspan="2">
    <img src="http://www.wachovia.com/file/pulse_bottombar2.gif"
    width="106" height="26" >
    <font face="arial,helvetica,sans-serif" size="-2" color="#000000"><a
    target="_blank" rel="nofollow" _ href="http://www.wachovia.com/inside"
    >Inside Wachovia</a></font>

    <font face="arial,helvetica,sans-serif" size="-2"
    color="#000000">|</font>
    <font face="arial,helvetica,sans-serif" size="-2" color="#000000"><a
    target="_blank" rel="nofollow" _
    href="http://www.wachovia.com/inside/legal_footer/0,,2157,00.html"
    >Privacy</a></font>

    <font face="arial,helvetica,sans-serif" size="-2"
    color="#000000">|</font>
    <font face="arial,helvetica,sans-serif" size="-2" color="#000000"><a
    target="_blank" rel="nofollow" _
    href="http://www.wachovia.com/inside/legal_footer/0,,2161,00.html"
    >Security</a></font>

    <font face="arial,helvetica,sans-serif" size="-2"
    color="#000000">|</font>
    <font face="arial,helvetica,sans-serif" size="-2" color="#000000"><a
    target="_blank" rel="nofollow" _
    href="http://www.wachovia.com/inside/legal_footer/0,,2137,00.html"
    >Legal</a></font>

    <font face="arial,helvetica,sans-serif" size="-2"
    color="#000000">|</font>
    <font face="arial,helvetica,sans-serif" size="-2" color="#000000"><a
    target="_blank" rel="nofollow" _
    href="http://www.wachovia.com/inside/page/0,,131,00.html" >Merger</a></font>
    </td>
    </tr>

    </table>
    <xbody>
    </html>
    </font></div>

    >
    > Don't post complete raw html spam in this ng, post it in sightings
    > according to this faq http://www.killfile.org/~tskirvin/faqs/nanas.html
    > and then we can see the whole thing if you give an access like a message
    > id. In this case you have already posted the important info for your
    > question, namely the link in its unrendered condition.
    >
    > Configure your system so that such spam/phish doesn't get into your
    > Inbox in the first place so that you won't see it or handle it without
    > already knowing that it is spam. A good spamfilter tagger is SpamPal at
    > http://spampal.org SpamPal is a mail classification program that can
    > help separate your spam from the mail you really want to read.


    Went to SpamPal. Will it work with Thunderbird? I'm assuming it will
    as you have recommeded it, but want to check as SP doesn't mention T-bird.
    >
    > Another issue is how to carry on a conversation in a ng by attributing,
    > citing, trimming, and contextualizing
    > http://members.fortunecity.com/nnqweb/nquote.html Quoting Style in
    > Newsgroup Postings
    >
    > And, if you read the links I post, they will explain things in more
    > detail. You need more detail not less. That way you can smart up
    > instead of dumbing something down.
    >
    >



    --
    To email, erase "forgetit"
     
    Flycaster, Aug 28, 2006
    #11
  12. Flycaster wrote:

    > OK, here is my Control-U results. Does it help get us to finding out if
    > I installed a virus?


    It's a phishing scam. There is no attempt at a virus installation. You
    would only have screwed up if you went to the notlong.com site and
    filled in your account details.

    > Received: from hotel227.server4you.de ([85.25.9.41]) by edge3.adelphia.net
    > (InterMail vG.2.00.00.02 201-2161-108-103-20050713) with ESMTP
    > id
    > <4you.de>
    > for <>; Sun, 20 Aug 2006 03:03:36 -0400



    A compromised server in Germany apparently is being used to relay this.

    ><img width="176" height="41"
    > src="http://www.wachovia.com/file/pulse_middletop.gif" >


    Notice how the scammer is linking to images directly on the Wachovia
    site.

    > <a href="hxxp://wachoviaonline.notlong.com/auth/AuthService?action=presentLogin&url=https://onlineservices.wachovia.com/NASApp/NavApp/Titanium?action=returnHome">


    ...and as I said before, this link goes to the "notlong.com" web site,
    which is apparent *not* Wachovia. In fact, it appears to be a DSL
    machine.

    http://www.dnsstuff.com/tools/ptr.ch?ip=206.111.205.169

    --
    -bts
    -Motorcycles defy gravity; cars just suck.
     
    Beauregard T. Shagnasty, Aug 28, 2006
    #12
  13. Flycaster

    Flycaster Guest

    Thanks, Beau. You say that as long as I didn't go to the "notlong.com"
    site and fill in any info, I can sleep at night. Well, I did go to the
    site, didn't I when I clicked on "Learn and Activate LayerKey Security"
    link which contained "notlong.com" within its url? But, then again, I
    didn't allow active-x to function and never entered anything into any
    fields, so I guess I'm OK. Rehashing this because I just want to make
    it perfectly clear to myself that I really didn't screw up...

    Beauregard T. Shagnasty wrote:
    > Flycaster wrote:
    >
    >> OK, here is my Control-U results. Does it help get us to finding out if
    >> I installed a virus?

    >
    > It's a phishing scam. There is no attempt at a virus installation. You
    > would only have screwed up if you went to the notlong.com site and
    > filled in your account details.





    --
    To email, erase "forgetit"
     
    Flycaster, Aug 28, 2006
    #13
  14. Flycaster wrote:

    > Thanks, Beau. You say that as long as I didn't go to the
    > "notlong.com" site and fill in any info, I can sleep at night. Well,
    > I did go to the site, didn't I when I clicked on "Learn and Activate
    > LayerKey Security" link which contained "notlong.com" within its url?
    > But, then again, I didn't allow active-x to function and never
    > entered anything into any fields, so I guess I'm OK. Rehashing this
    > because I just want to make it perfectly clear to myself that I
    > really didn't screw up...


    I'm assuming the site asked you for some sort of account details... your
    account number and password, for example. This is what the phishing
    scams normally attempt to do - social engineering to get you to divulge
    your details so they can then empty your account.

    As long as you did not do that, you are safe.

    Re ActiveX, this probably is immaterial for a scam site looking for your
    passwords. And, if you use any browser other than IE, you don't have to
    worry about any ActiveX exploits.

    --
    -bts
    -Motorcycles defy gravity; cars just suck.
     
    Beauregard T. Shagnasty, Aug 28, 2006
    #14
  15. Flycaster

    Mike Easter Guest

    Flycaster wrote:
    > Mike Easter wrote:


    > OK, here is my Control-U results. Does it help get us to finding out
    > if I installed a virus?


    - Some of this below is simple and some of it is technical

    - I said at least twice previously to not post such results as these
    into this ng

    - I said once previously that the link which is obtained in the
    spamphish raw html, which you had posted earlier, no longer led to the
    site which you accessed with your browser, but now the result is
    different

    - These headers do show an 'odd' source, namely an output server of
    server4you.de, which output server has also been seen in previous and
    different spam properly posted to sightings as I described earlier.
    Most likely it is sourced by some insecurity of a website's server. The
    source provider's website is here
    https://www.server4you.de/de/start.php?a which is not the same as the
    output for the spam. It is also possible that the mailserver itself is
    insecure, altho' it is running Sendmail 8.13.1/8.13.1/SuSE Linux 0.7 so
    that server is very secureable.

    - This time when I use the spamphish raw link which is still
    redirected, I /can/ access the payload phish site at
    www.r2convergence.com at 70.87.94.194 which rDNS
    shelby.websitewelcome.com and which webserver hosts over 1400
    domainnames

    - The current information from the redirected site doesn't show any
    capacity to install any virus or trojan

    Important elements in the spamphish
    -----------
    > Received: from hotel227.server4you.de ([85.25.9.41])


    > Message-Id: <4you.de>


    >

    href="http://wachoviaonline.notlong.com/auth/AuthService?action=presentL
    ogin&url=https://onlineservices.wachovia.com/NASApp/NavApp/Titanium?acti
    on=returnHome">
    > Learn and Activate LayerKey

    -----------

    >> Don't post complete raw html spam in this ng, post it in sightings


    That's where I was telling you to not post /here/ what you posted here.

    >> Configure your system so that such spam/phish doesn't get into your
    >> Inbox in the first place so that you won't see it or handle it
    >> without already knowing that it is spam. A good spamfilter tagger
    >> is SpamPal at http://spampal.org SpamPal is a mail classification
    >> program that can help separate your spam from the mail you really
    >> want to read.

    >
    > Went to SpamPal. Will it work with Thunderbird? I'm assuming it will
    > as you have recommeded it, but want to check as SP doesn't mention
    > T-bird.


    Yes. SpamPal serves as a proxy. Any such normal pop3 or imap4 mail
    account and Win mailuser agent can use it. You configure SP to access
    your provider's server and you reconfigure Tbird to access SP instead of
    the provider server. That way all of the mail you are downloading is
    passing thru' the SP filtertagger and labeling it with a subject tag.
    Tbird can make a very simple rule based on the subject tag and put all
    of the spam tagged mail into its own Junk folder and thus prevent it
    from arriving in your Inbox.

    >> Another issue is how to carry on a conversation in a ng


    Good job. You are contextualizing your remarks and citing and
    attributing properly. Trimming takes a little more work, but you have
    the basics. Thanks for adjusting.



    --
    Mike Easter
     
    Mike Easter, Aug 28, 2006
    #15
  16. Flycaster

    Flycaster Guest

    OK, here's the bottom line. This WAS a phishing spam that didn't leave
    any keylogger on my computer. You guys were right in that as long as I
    didn't make any entries into the spamming site, I was OK. Wachovia's IT
    told me this. They said that so far all that they have found was that
    the spam was an attempt to secure one's account numbers and log-ons, but
    not an attempt to control one's computer.

    I tried to install SpamPal (beta and the one before it), but I couldn't
    get it to work at all. I went via the transparency route (that being
    the easiest to install) with the addition of a SPAM filter (as suggested
    in the notes on installing SP onto T-Bird). However, I don't think all
    is lost in that I certainly will be more vigilant in detecting
    spam/phishing. This is easy with T-Bird in that I can simply place my
    cursor over the various links/urls to see if they are real.

    Thanks again for your help.


    --
    To email, erase "forgetit"
     
    Flycaster, Aug 29, 2006
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. SHRED
    Replies:
    1
    Views:
    411
    Moz Champion
    Oct 9, 2004
  2. Ralph

    Inbox alerts

    Ralph, Sep 19, 2005, in forum: Firefox
    Replies:
    4
    Views:
    587
    Moz Champion
    Sep 20, 2005
  3. Bobs
    Replies:
    1
    Views:
    605
    Walter Roberson
    Mar 25, 2005
  4. KerplunKuK

    Security alerts

    KerplunKuK, Sep 19, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    495
    trout
    Sep 19, 2003
  5. Doug Fox
    Replies:
    10
    Views:
    766
    donutbandit
    Feb 28, 2004
Loading...

Share This Page