Halifax Bank email scam.

Below is a fairly obvious scam to extract account details I received today -
Halifax have shut their site down. The question is how can this possibly
work? Surely the link below goes to the genuine Halifax server, how then is
it possible for the fraudsters to obtain the account details without also
being able to plant their own software on that server? The ability to do
that would be a massive security breech on the part of Halifax and a
completely unconscionable error for a major public company. [BTW I don't
have such an account].

------------------------------------------------------------
Dear Halifax Bank Member,

This email was sent by the Halifax server to verify your e-mail
address. You must complete this process by clicking on the link
below and entering in the small window your Halifax username
and password.
This is done for your protection --- because some of our
members no longer have access to their email addresses and
we must verify it.

To verify your e-mail address and access your bank account,
click on the link below. If nothing happens when you click on the
link (or if you use AOL), copy and paste the link into
the address bar of your web browser.


http://halifax.co.uk:ac=tVfB1OzCLmQR...9/?TAhIJmjCxxi
Otyp


--------------------------------------------
Thank you for using Halifax!
--------------------------------------------

This automatic email sent to: scott@scott2.demon.co.uk
Do not reply to this email.

In article <bnjclj$rgd$1$8300dec7@news.demon.co.uk>,
Scott <nospam@scott2.demon.co.uk> wrote:
>Below is a fairly obvious scam to extract account details I received today -
>Halifax have shut their site down. The question is how can this possibly
>work? Surely the link below goes to the genuine Halifax server, how then is
>it possible for the fraudsters to obtain the account details without also
>being able to plant their own software on that server? The ability to do
>that would be a massive security breech on the part of Halifax and a
>completely unconscionable error for a major public company. [BTW I don't
>have such an account].

The URL goes to shortway.to, not halifax.co.uk. Notice the '@' in the URL;
the complete syntax of an HTTP URL is:

http://<username>:<password>@<hostname>:<port>/<pathname>

So in the URL in the scam email, the username is "halifax.co.uk", the
password is "ac=tVfB1OzCLmQRF1na6lTT", the hostname is <ShOrTwAy.To>, and
the port defaults to 80.

This is a common way to make URLs look legitimate when they're not -- most
people look at the beginning of the URL for the hostname, and don't know
about the optional fields for supplying authentication information.

>------------------------------------------------------------
>Dear Halifax Bank Member,
>
>This email was sent by the Halifax server to verify your e-mail
>address. You must complete this process by clicking on the link
>below and entering in the small window your Halifax username
>and password.
>This is done for your protection --- because some of our
>members no longer have access to their email addresses and
>we must verify it.
>
>To verify your e-mail address and access your bank account,
>click on the link below. If nothing happens when you click on the
>link (or if you use AOL), copy and paste the link into
>the address bar of your web browser.
>
>
>http://halifax.co.uk:ac=tVfB1OzCLmQR...9/?TAhIJmjCxxi
>Otyp
>
>
>--------------------------------------------
> Thank you for using Halifax!
>--------------------------------------------
>
>This automatic email sent to: scott@scott2.demon.co.uk
>Do not reply to this email.
>
>
>
>


--
Barry Margolin, barry.margolin@level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

On Mon, 27 Oct 2003 15:21:51 GMT, Barry Margolin <barry.margolin@level3.com>
wrote in <jKanb.233$lK3.179@news.level3.com>:

> The URL goes to shortway.to, not halifax.co.uk. Notice the '@' in the URL;
> the complete syntax of an HTTP URL is:

> http://<username>:<password>@<hostname>:<port>/<pathname>

> So in the URL in the scam email, the username is "halifax.co.uk", the
> password is "ac=tVfB1OzCLmQRF1na6lTT", the hostname is <ShOrTwAy.To>, and
> the port defaults to 80.

The one I got had
http://www.citibank.com:ac=ZUVv0gvJR...2YWqI8kEPFDKB9

=> az.ru

--
Ivan Reid, Electronic & Computer Engineering, ___ CMS Collaboration,
Brunel University. Ivan.Reid@brunel.ac.uk Room 40-1-B12, CERN
KotPT -- "for stupidity above and beyond the call of duty".

Got one purporting to be from Barclays - cunning little monkeys.


"Dr Ivan D. Reid" <Ivan.Reid@brunel.ac.uk> wrote in message
news:slrnbpqk2t.27g.Ivan.Reid@loki.brunel.ac.uk...
> On Mon, 27 Oct 2003 15:21:51 GMT, Barry Margolin
<barry.margolin@level3.com>
> wrote in <jKanb.233$lK3.179@news.level3.com>:
>
> > The URL goes to shortway.to, not halifax.co.uk. Notice the '@' in the
URL;
> > the complete syntax of an HTTP URL is:
>
> > http://<username>:<password>@<hostname>:<port>/<pathname>
>
> > So in the URL in the scam email, the username is "halifax.co.uk", the
> > password is "ac=tVfB1OzCLmQRF1na6lTT", the hostname is <ShOrTwAy.To>,
and
> > the port defaults to 80.
>
> The one I got had
>
http://www.citibank.com:ac=ZUVv0gvJR...c2YWqI8kEPFDKB
9
>
> => az.ru
>
> --
> Ivan Reid, Electronic & Computer Engineering, ___ CMS
Collaboration,
> Brunel University. Ivan.Reid@brunel.ac.uk Room 40-1-B12,
CERN
> KotPT -- "for stupidity above and beyond the call of duty".

In article <bnjmsb$158$1@pegasus.csx.cam.ac.uk>, cmw52@-----cam.ac.uk says...
> Got one purporting to be from Barclays - cunning little monkeys.
>
Same here. I knew it wasn't real - I don't bank with Barclays!

Anyone who clicks on these links and reveals their PIN, etc, after being told
numerous times in life and in the literature not to do so, deserves everything
they get.
--

Dom Robinson Gamertag: DVDfever email: dom at dvdfever dot co dot uk
/* http://DVDfever.co.uk (editor), http://LeilaniWeb.co.uk (editor),
/* 953 DVDs, 261 games, 33 videos, 68 cinema films, 69 CDs, laserdiscs & news
/* darkness falls, the truth about medion, final destination 2, old school
"Girls Aloud will be here next week and they'll be ready for a roasting!"
- Fearne Cotton announces the girl band will be answering q's on TOTP Saturday

In article <MPG.1a07aa44673416ce989f4b@news.cis.dfn.de>,
Dom Robinson <murphyisamuppet@hotmail.com> wrote:
>In article <bnjmsb$158$1@pegasus.csx.cam.ac.uk>, cmw52@-----cam.ac.uk says...
>> Got one purporting to be from Barclays - cunning little monkeys.
>>
>Same here. I knew it wasn't real - I don't bank with Barclays!
>
>Anyone who clicks on these links and reveals their PIN, etc, after being told
>numerous times in life and in the literature not to do so, deserves everything
>they get.

I don't think I've gotten any of these from Barclays, but I often get
messages purporting to be from PayPal, with a URL to click on to verify my
account with them.

--
Barry Margolin, barry.margolin@level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

On Mon, 27 Oct 2003 22:32:04 GMT, Barry Margolin
<barry.margolin@level3.com> wrote:

>In article <MPG.1a07aa44673416ce989f4b@news.cis.dfn.de>,
>Dom Robinson <murphyisamuppet@hotmail.com> wrote:
>>In article <bnjmsb$158$1@pegasus.csx.cam.ac.uk>, cmw52@-----cam.ac.uk says...
>>> Got one purporting to be from Barclays - cunning little monkeys.
>>>
>>Same here. I knew it wasn't real - I don't bank with Barclays!
>>
>>Anyone who clicks on these links and reveals their PIN, etc, after being told
>>numerous times in life and in the literature not to do so, deserves everything
>>they get.
>
>I don't think I've gotten any of these from Barclays, but I often get
>messages purporting to be from PayPal, with a URL to click on to verify my
>account with them.

Barclays have in fact now resorted to putting up a damn great message
when you try to enter their online banking site, basically saying:

DON'T EVER REVEAL YOUR PIN NUMBER OR WHOLE PASSWORD TO ANYONE, NOT
EVEN US, WE REALLY MEAN IT, YES REALLY, NOT EVEN TO YOUR LOVELY
LITTLE SON JOHNNY, HONESTLY, TRUST US ON THIS, JUST DON'T DO IT, OK ?

which you can't get past without clicking a box to say you've read it.

Anyone want to bet that someone will still get taken in after reading
that ?

Cheers,

John

On Mon, 27 Oct 2003 18:07:01 -0000, "cmw" <cmw52@-----cam.ac.uk>
wrote:

>"Dr Ivan D. Reid" <Ivan.Reid@brunel.ac.uk> wrote in message
>news:slrnbpqk2t.27g.Ivan.Reid@loki.brunel.ac.uk.. .
>> On Mon, 27 Oct 2003 15:21:51 GMT, Barry Margolin
><barry.margolin@level3.com>
>> wrote in <jKanb.233$lK3.179@news.level3.com>:
>>
>> > The URL goes to shortway.to, not halifax.co.uk. Notice the '@' in the
>URL;
>> > the complete syntax of an HTTP URL is:
>>
>> > http://<username>:<password>@<hostname>:<port>/<pathname>
>>
>> > So in the URL in the scam email, the username is "halifax.co.uk", the
>> > password is "ac=tVfB1OzCLmQRF1na6lTT", the hostname is <ShOrTwAy.To>,
>and
>> > the port defaults to 80.
>>
>> The one I got had
>>
>http://www.citibank.com:ac=ZUVv0gvJR...c2YWqI8kEPFDKB
>>
>Got one purporting to be from Barclays - cunning little monkeys.

What I want to know is - how are the scammers getting hold of the
email addresses in the first place?

Ben

--
I ain’t saying that it’s wrong for you
It just don’t make sense to me

"Ben Padstow" <benpadstow@NOSPAMsensical.co.uk> wrote in message
news:98lspvcq83rr6pdd19b4v3rgmrrmpjrpla@4ax.com

>>>> The URL goes to shortway.to, not halifax.co.uk. Notice the '@' in
>>>> the URL; the complete syntax of an HTTP URL is:
>>>> http://<username>:<password>@<hostname>:<port>/<pathname>
>>>> So in the URL in the scam email, the username is "halifax.co.uk",
>>>> the password is "ac=tVfB1OzCLmQRF1na6lTT", the hostname is
>>>> <ShOrTwAy.To>, and the port defaults to 80.
>>>
>>> The one I got had
>>
http://www.citibank.com:ac=ZUVv0gvJR...c2YWqI8kEPFDKB
>> Got one purporting to be from Barclays - cunning little monkeys.
>
> What I want to know is - how are the scammers getting hold of the
> email addresses in the first place?

Same way any other spammer does, I suppose.


--
use hotmail com for any email replies



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

On Tue, 28 Oct 2003 03:42:29 -0800, "ynotssor" <"ynotssor"> wrote:

>"Ben Padstow" <benpadstow@NOSPAMsensical.co.uk> wrote in message
>news:98lspvcq83rr6pdd19b4v3rgmrrmpjrpla@4ax.com
>
>> What I want to know is - how are the scammers getting hold of the
>> email addresses in the first place?
>
>Same way any other spammer does, I suppose.

I thought the suggestion was that the spammers are specifically
targetting customers of the scammed banks?

Is it just that they're sending out thousands of emails and happen to
be catching people who have an account with that bank?

The strange thing is, I get every spam going, and haven't had this. I
bank with Smile.

Ben

--
I ain’t saying that it’s wrong for you
It just don’t make sense to me