How to interpret this?!

Discussion in 'Computer Security' started by a_monk, Mar 16, 2007.

  1. a_monk

    a_monk Guest

    Lately I received a number (phishing) mails from a bank asking for
    confirmation. In the message, there was a URL:

    https://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F21=IB&F22=ClientSign&LANG=EN

    However, when I moved my mouse pointer to the beginning on the URL, at
    the bottom of the screen, it showed the following instead.

    http://163.23.70.201/http/www1.royalbank.com/cgi-bin/rbaccess/F21=IB&F22=ClientSign&LANG=EN/

    First of all, the link seems not using SSL (http instead of https).
    Secondly, when I pinged 163.23.70.201, there was no response.

    I hesitate to click on the https:// link.

    Could someone help me understand what is it all about? Any info is
    much appreciated.

    A Monk
     
    a_monk, Mar 16, 2007
    #1
    1. Advertising

  2. a_monk wrote:

    > Lately I received a number (phishing) mails from a bank asking for
    > confirmation. In the message, there was a URL:
    >
    > https://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F21=IB&F22=ClientSign&LANG=EN
    >
    > However, when I moved my mouse pointer to the beginning on the URL, at
    > the bottom of the screen, it showed the following instead.
    >
    > http://163.23.70.201/http/www1.royalbank.com/cgi-bin/rbaccess/F21=IB&F22=ClientSign&LANG=EN/
    >
    > First of all, the link seems not using SSL (http instead of https).
    > Secondly, when I pinged 163.23.70.201, there was no response.
    >
    > I hesitate to click on the https:// link.
    >
    > Could someone help me understand what is it all about? Any info is
    > much appreciated.


    <a
    href="http://this.is/the/real/destination.php">http://can.claim/anything/about/the/link.html</a>

    Your problem obviously is that you messed up your mail client to render
    HTML content. Very very bad idea.

    And since you're abusing MSIE as a webbrowser, I presume your mail client
    in Outlook Express or Outlook. That means you'd be even worse off, since
    there a various features^W unpatched vulnerabilities which allow the
    attacker to fake the displayed URL. You're lucky that this attacker didn't
    try.
     
    Sebastian Gottschalk, Mar 16, 2007
    #2
    1. Advertising

  3. From: "a_monk" <>

    | Lately I received a number (phishing) mails from a bank asking for
    | confirmation. In the message, there was a URL:
    |
    | https://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F21=IB&F22=ClientSign&LANG=EN
    |
    | However, when I moved my mouse pointer to the beginning on the URL, at
    | the bottom of the screen, it showed the following instead.
    |
    | http://163.23.70.201/http/www1.royalbank.com/cgi-bin/rbaccess/F21=IB&F22=ClientSign&LANG=EN/
    |
    | First of all, the link seems not using SSL (http instead of https).
    | Secondly, when I pinged 163.23.70.201, there was no response.
    |
    | I hesitate to click on the https:// link.
    |
    | Could someone help me understand what is it all about? Any info is
    | much appreciated.
    |
    | A Monk

    What part of Phishing don't you understand ?

    The screen shows; https://www1.royalbank.com but the HTML really points to;
    http://163.23.70.201

    http://www.dnsstuff.com/tools/whois.ch?ip=163.23.70.201&email=on

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Mar 16, 2007
    #3
  4. a_monk

    a_monk Guest

    On Mar 15, 9:34 pm, "David H. Lipman" <DLipman~>
    wrote:
    > From: "a_monk" <>
    >
    > | Lately I received a number (phishing) mails from a bank asking for
    > | confirmation. In the message, there was a URL:
    > |
    > |https://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F21=IB&F22=...
    > |
    > | However, when I moved my mouse pointer to the beginning on the URL, at
    > | the bottom of the screen, it showed the following instead.
    > |
    > |http://163.23.70.201/http/www1.royalbank.com/cgi-bin/rbaccess/F21=IB&...
    > |
    > | First of all, the link seems not using SSL (http instead of https).
    > | Secondly, when I pinged 163.23.70.201, there was no response.
    > |
    > | I hesitate to click on the https:// link.
    > |
    > | Could someone help me understand what is it all about? Any info is
    > | much appreciated.
    > |
    > | A Monk
    >
    > What part of Phishing don't you understand ?
    >
    > The screen shows; https://www1.royalbank.com but the HTML really points to;http://163.23.70.201
    >
    > http://www.dnsstuff.com/tools/whois.ch?ip=163.23.70.201&email=on
    >
    > --
    > Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm


    What would happen if I clicked on the link?
     
    a_monk, Mar 16, 2007
    #4
  5. a_monk

    a_monk Guest

    On Mar 15, 9:39 pm, "a_monk" <> wrote:
    > On Mar 15, 9:34 pm, "David H. Lipman" <DLipman~>
    > wrote:
    >
    >
    >
    >
    >
    > > From: "a_monk" <>

    >
    > > | Lately I received a number (phishing) mails from a bank asking for
    > > | confirmation. In the message, there was a URL:
    > > |
    > > |https://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F21=IB&F22=...
    > > |
    > > | However, when I moved my mouse pointer to the beginning on the URL, at
    > > | the bottom of the screen, it showed the following instead.
    > > |
    > > |http://163.23.70.201/http/www1.royalbank.com/cgi-bin/rbaccess/F21=IB&...
    > > |
    > > | First of all, the link seems not using SSL (http instead of https).
    > > | Secondly, when I pinged 163.23.70.201, there was no response.
    > > |
    > > | I hesitate to click on the https:// link.
    > > |
    > > | Could someone help me understand what is it all about? Any info is
    > > | much appreciated.
    > > |
    > > | A Monk

    >
    > > What part of Phishing don't you understand ?

    >
    > > The screen shows; https://www1.royalbank.combut the HTML really points to;http://163.23.70.201

    >
    > >http://www.dnsstuff.com/tools/whois.ch?ip=163.23.70.201&email=on

    >
    > > --
    > > Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.c...

    >
    > What would happen if I clicked on the link?- Hide quoted text -
    >
    > - Show quoted text -


    Where could one report this crime?
     
    a_monk, Mar 16, 2007
    #5
  6. David H. Lipman, Mar 16, 2007
    #6
  7. a_monk

    Arthur T. Guest

    In
    Message-ID:<>,
    "a_monk" <> wrote:

    >Lately I received a number (phishing) mails from a bank asking for
    >confirmation. In the message, there was a URL:

    <snip>
    >However, when I moved my mouse pointer to the beginning on the URL, at
    >the bottom of the screen, it showed the following instead.

    <snip>
    >Could someone help me understand what is it all about? Any info is
    >much appreciated.


    This is standard HTML used for nefarious purposes.

    I'll show an example, using parens instead of angle brackets
    (in case you have a newsreader that renders HTML).

    (a href="http://ACTUAL.URL")WHAT TO DISPLAY(/a)

    In the above, an HTML-knowledgeable reader will show "WHAT TO
    DISPLAY", but if you click on it, it'll take you to
    "http://ACTUAL.URL". If "WHAT TO DISPLAY" *looks* like a URL,
    it'll cause the confusion you experienced.

    --
    Arthur T. - ar23hur "at" intergate "dot" com
    Looking for a z/OS (IBM mainframe) systems programmer position
     
    Arthur T., Mar 16, 2007
    #7
  8. a_monk

    Jim Watt Guest

    On 15 Mar 2007 17:43:50 -0700, "a_monk" <> wrote:

    >Lately I received a number (phishing) mails from a bank


    Then either delete them and move on or report them to
    the bank.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Mar 16, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doc Holliday
    Replies:
    5
    Views:
    755
    Ron Bandes
    Dec 28, 2003
  2. Igor Mamuziæ
    Replies:
    3
    Views:
    6,512
    Igor Mamuziæ
    Dec 21, 2004
  3. AM
    Replies:
    3
    Views:
    445
    Doug McIntyre
    Aug 1, 2005
  4. belto

    Keyboard miss interpret keys

    belto, Apr 25, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    461
    belto
    Apr 25, 2005
  5. anikya

    Please help interpret this report

    anikya, May 12, 2004, in forum: Computer Security
    Replies:
    2
    Views:
    571
    anikya
    May 12, 2004
Loading...

Share This Page