So fine they'll never see ya leavin' by the back door

[venta]

I've just got an email, inviting me to visit a website to confirm my log-in details for my internet banking.

It says:

Dear client of the Halifax Internet banking,

Technical services of the bank are carrying out a planned software upgrade for the maximum convenience of the user of online-services of the Halifax Bank. We earnestly ask you to visit the following link and to confirm your bank data:

https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk

This instruction has been set to all bank customers and is obligatory to follow.

Now, I don't bank with the Halifax, but we'll let that pass for now.

Out of curiosity, I followed the link. It looks like a reasonably plausible internet banking log-in site, with a handy banner ad warning you of email fraud, and explaining they'll never ask for your bank details via email. Nice touch.

In fact, a bit of checking verifies that it actually takes you to the Halifax' genuine log-in site. If I go to the Halifax' website, and click on "sign-in", it takes me to exactly the URL above.

I've completely failed to understand the point of this spam. If it had taken to me to a mocked-up site, hoping to steal my details, I could have understood. It seems very unlikely that the Halifax are genuinely going for this scatter-shot approach to notifying their customers (in rather poor English) of some changes.

Have I missed something very obvious ? Am I the target of some very clueless, wannabe scammer, who's understood that you're supposed to send out fake bank-mails, but failed to set up the necessary infrastructure to steal details ?

Comments

[wimble.livejournal.com]

There has been a security hole in assorted browsers (which I'm not going to look up now), where a peculiarly formatted URL can
look like one site, but actually lead to another.

Something like introducing extra colons, so...
http://www.halifax-online.co.uk@my.dodgy.site/stuff

looks, at first glance like it goes to the halifax, but in fact, it goes to my dodgy site, using the halifax part as a username.

If you look at the raw text of the email, rather than a rendered version you'd see the difference. (I'm guessing you're using seeing an HTML filtered version, in a client that has detected and avoided this particular hack. I may be wrong.)

[venta.livejournal.com]

Hmm... the URL displayed is (character for character) exactly the same as the "correct" one, because I checked.

So, let's see if my nice webmail will give me a non-html version of the email. Yup, there's a "text version" button. Which gives me the following:

This message only has an HTML part -- this is a text generated representation


[1][LINK]-[2][USEMAP:cid:part1.01040509.07060104@supprefnum348@h
alifax.co.uk]

in 1841 Spice Girls Lord of the Rings Entertainment Sports
Illustrated

References

1. https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk

Spice Girls ? Eh ?
But if the webmail has kindly done something funky with an email address for me, it's not telling.

<goes to rummage further>

[venta.livejournal.com]

Hmmm... weirdy weirdy weird.

Now I come to look at it, the mail isn't text at all. It's one big .gif (which explains why I couldn't cut'n'paste from it earlier). The entire area of the mail is clickable, rather than just the link.

[ewx.livejournal.com]

I found an instance of what is probably the same thing in chiark's reported-spam group. The source looks like this:

<html><p><font face="Arial"><A HREF="https://www.halifax-online.co.uk/_mem_bin/
FormsLogin.asp?source=halifaxcouk"><map name="FPMap0"><area coords="0, 0, 593, 
300" shape="rect" href="http://207.202.89.91:87/f/index.htm"></map><img SRC="ci
d:part1.08060905.04020809@operator_712@halifax.co.uk" border="0" usemap="#FPMap
0"></A></a></font></p><p><font color="#FFFFF8">in 1986 Open your in 1867 in 181
4 U2 </font></p></html>

(...line-wrapped by me.)

Although there's a straight hyperlink to Halifax's real website around the whole thing, the image is an image map which is supposed to make clicks on the image go to http://207.202.89.91:87/f/index.htm.

Perhaps your mail client's HTML support doesn't understand image maps, then.

[venta.livejournal.com]

Hmm... that sounds like it might be plausible. Annoyingly, I have yet to work out how to compel my client to show me the raw html. It doesn't want to.

[ewx.livejournal.com]

What client is it?

[venta.livejournal.com]

It's web mail, so I've now just done the sensible thing and looked at the source for the whole page.

The relevant bit is here:

<!-- begin message -->

<DEFANGED_html><p><font face="Arial"><A HREF="https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk"><map name="FPMap0"><area DEFANGED_coords="0, 0, 593, 300" shape="rect" href="http://207.202.89.91:87/f/index.htm"></map><img SRC="[snip]" border=0 usemap="#FPMap0"></A></a></font></p><p><font color="#FFFFFD">in 1841 Spice Girls Lord of the Rings Entertainment Sports Illustrated </font></p></DEFANGED_html>


<!-- end message -->

I'm guessing the DEFANGED bit was done by my mail providers de-nastying software, and explains why the link didn't go to the wrong place when I clicked on it.

It I try to load manually the link to which I should have been sent, I get a message saying that access to that port has been disabled for security reasons.

I'm not very well up on my ports, so I don't know whether 87 is particularly infamous, or indeed whether the access is blocked at their end or our end.

(Second attempt, I'm a fool).

port 87

[ewx.livejournal.com]

That seems to be a Firefox feature (I get the same message and it doesn't even attempt to connect). It's (probably) there prevent your browser being abused by other people to launder various forms of abuse.

[hjalfi.livejournal.com]

Port 87 is ttylink, which is a long-dead chat service, also known as convers (see here (http://sharon.esrac.ele.tue.nl/pub/linux/packet/convers/) if you want applications for it). It's not quite as dead a protocol as, say, FSP, but it's at least fir-treeing for the lakes.

They probably used it because it won't show up their ISP's firewall as an incoming HTTP connection and is unlikely to be used by anything else.

[j4.livejournal.com]

It's not one of these, is it?

[venta.livejournal.com]

Hmm.... dunno yet, interesting idea though.

<more investigations>

[bateleur.livejournal.com]

Now that's one of my favourites !

[mrph.livejournal.com]

It's possible. I've seen dumber ones.

You might want to forward that to onlineemailinvestigations@hbosplc.com (if you haven't already), btw - they're always happy to have copies of scam mails sent to 'em.

[mrph.livejournal.com]

Actually, don't bother - they've got it already

Sorry - I should have checked that first.

[http://users.livejournal.com/_corpse_/]

Oddly, the thing that leapt out at me from that email, and rang my "No! Evil awaits!" alarm was the use of the word "earnestly".

[venta.livejournal.com]

Yes... I think I should stop using the word "genuinely", as it intends to have exactly the opposite effect to what I want :)

[ao-lai.livejournal.com]

Phishing alert!!! Call me paranoid, but even now I feel admittedly mild actual fear from even seeing bits of the source...

...No, wait. I work for an IT security company. I'm learning...