This evening I was looking through my spam messages to make sure there were no false positives. I was a little surprised to see this one.
I have worked for a couple banks and they never send these emails out. So, naturally I was curious (that, and they’re not my bank). I ripped the covers off the email and I found that yes, it was indeed the scam that I thought it was.
(email header)
Delivered-To: dave@foo.bar
Received: by 10.x.x.x with SMTP id *********;
Fri, 4 May 2007 16:45:12 -0700 (PDT)
Received: by 10.x.x.x with SMTP id ************;
Fri, 04 May 2007 16:45:12 -0700 (PDT)
Return-Path:
Received: from ensim.musicarena.com ([67.15.113.38])
by ***********.com with ESMTP id **************;
Fri, 04 May 2007 16:45:12 -0700 (PDT)
Received-SPF: neutral (*******.com: 67.15.113.38 is neither permitted nor denied by best guess record for domain of teamphotoshop@teamphotoshop.com)
Received: from teamphotoshop.com (localhost.localdomain [127.0.0.1])
by ensim.musicarena.com (8.12.11.20060308/8.12.10) with ESMTP id l44NjCQO012281
for
Received: (from teamphotoshop@localhost)
by teamphotoshop.com (8.12.11.20060308/8.12.11/Submit) id l44NjCl3012274;
Fri, 4 May 2007 18:45:12 -0500
Date: Fri, 4 May 2007 18:45:12 -0500
Message-Id: <200705042345.l44NjCl3012274@teamphotoshop.com>
To: dave@foo.bar
Subject: IMPORTANT Electronic Access Agreement Update
From: Royal Bank of Canada
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
(/email header)
The return email address points to an IP address in the Houston area.
NetRange: 67.15.0.0 – 67.15.255.255
CIDR: 67.15.0.0/16
NetName: EVRY-BLK-15
NetHandle: NET-67-15-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1SERVERS.NET
NameServer: NS2.EV1SERVERS.NET
Now, if someone was unfortunate enough to click on the link in the email they would be sent to this site.
http://www.******.com/(URL-MUNGED)/www1.royalbank.com/cgi-bin/rbaccess/secure/
So, I dig into the DNS registration and I find this.
———————————————–
Queried Domain Information as follows
———————————————–Domain Name : ******.com
::Registrant::
Name : jin sung min
Email : ******@orgio.net
Address : 25/3 Ban 1158-7 Beon Ji Shinjong 3-dong Yangchon-gu,Seoul,Korea
Zipcode : 158-863
Nation : KR
Tel : 051-752-8265
Fax :::Administrative Contact::
Name : Jinsungmin
Email : ******@orgio.net
Address : 25/3 Ban 1158-7 Beon Ji Shinjong 3-dong Yangchon-gu,Seoul,Korea
Zipcode : 158-863
Nation : KR
Tel : 051-752-8265
Fax :::Technical Contact::
Name : Whois Co., Ltd.
Email : whois@whois.co.kr
Address : 143-39 Shinil Bldg.1F, Samsung-dong, Kangnam-gu
Zipcode : 135-877
Nation : KR
Tel : +82-2-325-4259
Fax : +82-2-325-2259::Name Servers::
ns2.icomis.com
xp.icomis.net::Dates & Status::
Created Date 2001-11-06 04:52:00 EST
Updated Date 2006-11-08 18:55:20 EST
Valid Date 2009-11-06 04:52:00 EST
Status ACTIVE
OK, I have to double check this now so, I checked the DNS from the command line.
174.71.145.218.in-addr.arpa name = www10.icomis.com (hosting company name)
Yup, this is a phishing attempt. They had even linked to a legit RBC logo on a Royal Bank subsidiary server in the Channel Islands. They should not have been able to link to this image in the first place.
My point of the long winded dissection of this phisher attempt, is that users need to be aware. Banks will not send this type of email to their customers EVER. Do yourself a favour and DELETE THESE EMAILS if you receive them or where feasible send them to the respective financial institutions ie. “information.security@rbc.com”.
Royal Bank provides this information to help safeguard against these attempts.
The number of fraudulent emails and other online scams continues to grow. As part of our ongoing commitment to help you keep your online experiences private and secure we want to remind you to be cautious when conducting your online activities.
Phishing is the most common type of online fraud and involves the practice of sending phoney email messages to try and get you to reveal your personal information.
RBC will NEVER, under any circumstances, send you an email that includes a link or phone number asking you to:
* Update or verify your account details or other personal information online or by phone
* Logon to online banking (or other private website)When these fraudulent emails contain links to a sign in page — DO NOT reply. Remember that these links take you to a phoney website designed to capture your personal information. The websites often look legitimate and may even contain RBC banners and logos to try to fool you.
Here are some additional ways to spot a phishing email:
* The message will be addressed to “Dear customer or member…” rather than using your name.
* The email may convey a sense of urgency. For example, threatening suspension of banking services or giving deadlines to qualify for a prize.
* Some messages contain obvious spelling errors and poor grammar.If you receive an email that asks you to provide confidential information, such as account passwords, PIN, Social Insurance Number or any other personal information — either online or by phone – DO NOT respond. Instead, please notify us by forwarding the email to information.security@rbc.com.
If you believe you have provided your account or other personal information in response to a fraudulent email, call us immediately at 1 800 769-2555 or see the “Contact Us” information at www.rbc.com/security/contact-security.html .
For more information on protecting your personal and financial information online, please review our Guide to Security and Privacy at www.rbcroyalbank.com/online/guidetosecurity.html
…be careful out there.
[tags]Phishing Attempt, RBC Email Scam, Phishing, Royal Bank Email Fraud[/tags]
