![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ventaI've just got an email, inviting me to visit a website to confirm my log-in details for my internet banking.
It says:
Dear client of the Halifax Internet banking,
Technical services of the bank are carrying out a planned software upgrade for the maximum convenience of the user of online-services of the Halifax Bank. We earnestly ask you to visit the following link and to confirm your bank data:
https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk
This instruction has been set to all bank customers and is obligatory to follow.
Now, I don't bank with the Halifax, but we'll let that pass for now.
Out of curiosity, I followed the link. It looks like a reasonably plausible internet banking log-in site, with a handy banner ad warning you of email fraud, and explaining they'll never ask for your bank details via email. Nice touch.
In fact, a bit of checking verifies that it actually takes you to the Halifax' genuine log-in site. If I go to the Halifax' website, and click on "sign-in", it takes me to exactly the URL above.
I've completely failed to understand the point of this spam. If it had taken to me to a mocked-up site, hoping to steal my details, I could have understood. It seems very unlikely that the Halifax are genuinely going for this scatter-shot approach to notifying their customers (in rather poor English) of some changes.
Have I missed something very obvious ? Am I the target of some very clueless, wannabe scammer, who's understood that you're supposed to send out fake bank-mails, but failed to set up the necessary infrastructure to steal details ?
It says:
Dear client of the Halifax Internet banking,
Technical services of the bank are carrying out a planned software upgrade for the maximum convenience of the user of online-services of the Halifax Bank. We earnestly ask you to visit the following link and to confirm your bank data:
https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk
This instruction has been set to all bank customers and is obligatory to follow.
Now, I don't bank with the Halifax, but we'll let that pass for now.
Out of curiosity, I followed the link. It looks like a reasonably plausible internet banking log-in site, with a handy banner ad warning you of email fraud, and explaining they'll never ask for your bank details via email. Nice touch.
In fact, a bit of checking verifies that it actually takes you to the Halifax' genuine log-in site. If I go to the Halifax' website, and click on "sign-in", it takes me to exactly the URL above.
I've completely failed to understand the point of this spam. If it had taken to me to a mocked-up site, hoping to steal my details, I could have understood. It seems very unlikely that the Halifax are genuinely going for this scatter-shot approach to notifying their customers (in rather poor English) of some changes.
Have I missed something very obvious ? Am I the target of some very clueless, wannabe scammer, who's understood that you're supposed to send out fake bank-mails, but failed to set up the necessary infrastructure to steal details ?
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2005-01-21 12:54 pm (UTC)So, let's see if my nice webmail will give me a non-html version of the email. Yup, there's a "text version" button. Which gives me the following:
This message only has an HTML part -- this is a text generated representation
[1][LINK]-[2][USEMAP:cid:part1.01040509.07060104@supprefnum348@h
alifax.co.uk]
in 1841 Spice Girls Lord of the Rings Entertainment Sports
Illustrated
References
1. https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk
Spice Girls ? Eh ?
But if the webmail has kindly done something funky with an email address for me, it's not telling.
<goes to rummage further>
no subject
Date: 2005-01-21 12:58 pm (UTC)Now I come to look at it, the mail isn't text at all. It's one big .gif (which explains why I couldn't cut'n'paste from it earlier). The entire area of the mail is clickable, rather than just the link.
no subject
Date: 2005-01-21 01:24 pm (UTC)I found an instance of what is probably the same thing in chiark's reported-spam group. The source looks like this:
(...line-wrapped by me.)
Although there's a straight hyperlink to Halifax's real website around the whole thing, the image is an image map which is supposed to make clicks on the image go to http://207.202.89.91:87/f/index.htm.
Perhaps your mail client's HTML support doesn't understand image maps, then.
no subject
Date: 2005-01-21 01:30 pm (UTC)no subject
Date: 2005-01-21 01:39 pm (UTC)no subject
Date: 2005-01-21 02:35 pm (UTC)The relevant bit is here:
<!-- begin message -->
<DEFANGED_html><p><font face="Arial"><A HREF="https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk"><map name="FPMap0"><area DEFANGED_coords="0, 0, 593, 300" shape="rect" href="http://207.202.89.91:87/f/index.htm"></map><img SRC="[snip]" border=0 usemap="#FPMap0"></A></a></font></p><p><font color="#FFFFFD">in 1841 Spice Girls Lord of the Rings Entertainment Sports Illustrated </font></p></DEFANGED_html>
<!-- end message -->
I'm guessing the DEFANGED bit was done by my mail providers de-nastying software, and explains why the link didn't go to the wrong place when I clicked on it.
It I try to load manually the link to which I should have been sent, I get a message saying that access to that port has been disabled for security reasons.
I'm not very well up on my ports, so I don't know whether 87 is particularly infamous, or indeed whether the access is blocked at their end or our end.
(Second attempt, I'm a fool).
port 87
Date: 2005-01-21 03:07 pm (UTC)no subject
Date: 2005-01-21 04:32 pm (UTC)They probably used it because it won't show up their ISP's firewall as an incoming HTTP connection and is unlikely to be used by anything else.