So fine they'll never see ya leavin' by the back door

[venta]

I've just got an email, inviting me to visit a website to confirm my log-in details for my internet banking.

It says:

Dear client of the Halifax Internet banking,

Technical services of the bank are carrying out a planned software upgrade for the maximum convenience of the user of online-services of the Halifax Bank. We earnestly ask you to visit the following link and to confirm your bank data:

https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk

This instruction has been set to all bank customers and is obligatory to follow.

Now, I don't bank with the Halifax, but we'll let that pass for now.

Out of curiosity, I followed the link. It looks like a reasonably plausible internet banking log-in site, with a handy banner ad warning you of email fraud, and explaining they'll never ask for your bank details via email. Nice touch.

In fact, a bit of checking verifies that it actually takes you to the Halifax' genuine log-in site. If I go to the Halifax' website, and click on "sign-in", it takes me to exactly the URL above.

I've completely failed to understand the point of this spam. If it had taken to me to a mocked-up site, hoping to steal my details, I could have understood. It seems very unlikely that the Halifax are genuinely going for this scatter-shot approach to notifying their customers (in rather poor English) of some changes.

Have I missed something very obvious ? Am I the target of some very clueless, wannabe scammer, who's understood that you're supposed to send out fake bank-mails, but failed to set up the necessary infrastructure to steal details ?

Comments

[ewx.livejournal.com]

What client is it?

[venta.livejournal.com]

It's web mail, so I've now just done the sensible thing and looked at the source for the whole page.

The relevant bit is here:

<!-- begin message -->

<DEFANGED_html><p><font face="Arial"><A HREF="https://www.halifax-online.co.uk/_mem_bin/FormsLogin.asp?source=halifaxcouk"><map name="FPMap0"><area DEFANGED_coords="0, 0, 593, 300" shape="rect" href="http://207.202.89.91:87/f/index.htm"></map><img SRC="[snip]" border=0 usemap="#FPMap0"></A></a></font></p><p><font color="#FFFFFD">in 1841 Spice Girls Lord of the Rings Entertainment Sports Illustrated </font></p></DEFANGED_html>


<!-- end message -->

I'm guessing the DEFANGED bit was done by my mail providers de-nastying software, and explains why the link didn't go to the wrong place when I clicked on it.

It I try to load manually the link to which I should have been sent, I get a message saying that access to that port has been disabled for security reasons.

I'm not very well up on my ports, so I don't know whether 87 is particularly infamous, or indeed whether the access is blocked at their end or our end.

(Second attempt, I'm a fool).

port 87

[ewx.livejournal.com]

That seems to be a Firefox feature (I get the same message and it doesn't even attempt to connect). It's (probably) there prevent your browser being abused by other people to launder various forms of abuse.

[hjalfi.livejournal.com]

Port 87 is ttylink, which is a long-dead chat service, also known as convers (see here (http://sharon.esrac.ele.tue.nl/pub/linux/packet/convers/) if you want applications for it). It's not quite as dead a protocol as, say, FSP, but it's at least fir-treeing for the lakes.

They probably used it because it won't show up their ISP's firewall as an incoming HTTP connection and is unlikely to be used by anything else.