VOLKSBANK Phishing email

Date: 01-05.08.2005

Updated: 14.11.2005

 

Content:

  1. Description
  2. Pictures of the website
  3. Mail Headers
  4. Websites’ DNS registrations
  5. HTML source of the website
  6. Conclusions
  7. Update: The envelope received by regular post from Volksbank to warn their customers about

the phishing attack.

 

  1. Description

 

Email Sources: 4

Target Websites: 2 (see below their DNS registration)

Type: GIF/JPG inserted in the mail and linked to one of the two target websites

Obs: Just like a regular spam, the mail contains the HTML part with the picture and link and then only gardage text (to confuse bayesian filters)

Language: German

 

The email

 

Figure 1. The email

 

 

2.Pictures of the websites

 

 

 

 

 

 

first page of the site

Figure 2. The Website-First Page

 

second page of the site

Figure 3.The Website - end page

 

 

 

3. Headers of the mails

 

1. Mail 1

X-UIDL: 56570b5b95bcb2928ef7fd2fc3d160db

X-Mozilla-Status: 1001

X-Mozilla-Status2: 02000000

Return-Path: <supprefnum6397688@volksbank.de>

X-Flags: 0000

Delivered-To: GMX delivery to ginger_alex@gmx.net

Received: (qmail invoked by alias); 03 Aug 2005 05:18:42 -0000

Received: from 21.red-82-158-146.user.auna.net (HELO 21.red-82-158-146.user.auna.net) [82.158.146.21]

  by mx0.gmx.net (mx073) with SMTP; 03 Aug 2005 07:18:42 +0200

FCC: mailbox://supprefnum6397688@volksbank.de/Sent

X-Identity-Key: id1

Date: Wed, 03 Aug 2005 12:17:06 +0600

From: Volksbanken Raiffeisenbanken <supprefnum6397688@volksbank.de>

X-Accept-Language: en-us, en

MIME-Version: 1.0

To: ginepri_claudine@gmx.net

Subject: Es ist wichtig!

Content-Type: multipart/related;

 boundary="------------090708020807060709080003"

Message-ID: <20050803051843.23426gmx1@mx073.gmx.net>

X-GMX-Antivirus: -1 (not scanned, may not use virus scanner)

X-GMX-Antispam: -2 (not scanned, spam filter disabled)

X-GMX-UID: 5DaCYuY6eSEkOw5ME3UhaXN1IGRvb4Be

 

This is a multi-part message in MIME format.

--------------090708020807060709080003

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

 

<html><p><font face="Arial"><A HREF="http://www.volksbank.de/__C1256B56003097E2.nsf/X851A68E4F14128EFC1256C670055579C"><map name="twRd"><area coords="0, 0, 788, 331" shape="rect" href="http://210.0.186.83/rpm/"></map><img SRC="cid:part1.06080905.02060600@support_refnum_831@volksbank.de" border="0" usemap="#twRd"></A></a></font></p><p><font color="#FFFFF1">in 1902 BMW U2 it's beautiful in 1978 </font></p></html>

 

--------------090708020807060709080003

Content-Type: image/gif;

 name="baltic.GIF"

Content-Transfer-Encoding: base64

Content-ID: <part1.06080905.02060600@support_refnum_831@volksbank.de>

Content-Disposition: inline;

 filename="baltic.GIF"

 

 

2.Mail 2

X-UIDL: 5f054048017d19746eb4a189d97b20fc

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-Path: <support_id_946568438@volksbank.de>

X-Flags: 0000

Delivered-To: GMX delivery to email@host.com

Received: (qmail invoked by alias); 04 Aug 2005 00:14:14 -0000

Received: from p83.129.18.75.tisdip.tiscali.de (HELO p83.129.18.75.tisdip.tiscali.de) [83.129.18.75]

  by mx0.gmx.net (mx063) with SMTP; 04 Aug 2005 02:14:14 +0200

FCC: mailbox://support_id_946568438@volksbank.de/Sent

X-Identity-Key: id1

Date: Wed, 03 Aug 2005 20:14:07 -0500

From: Volksbanken Raiffeisenbanken <support_id_946568438@volksbank.de>

X-Accept-Language: en-us, en

MIME-Version: 1.0

To: hans_miller@gmx.net

Subject: Es ist wichtig! [Wed, 03 Aug 2005 22:11:07 -0300]

Content-Type: multipart/related;

 boundary="------------000103030101030906050001"

Message-ID: <20050804001416.12613gmx1@mx063.gmx.net>

X-GMX-Antivirus: -1 (not scanned, may not use virus scanner)

X-GMX-Antispam: -2 (not scanned, spam filter disabled)

X-GMX-UID: jziDYiFQeSEkTY8+E3UhaXN1IGRvb4CV

 

This is a multi-part message in MIME format.

--------------000103030101030906050001

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

 

<html><p><font face="Arial"><A HREF="http://www.volksbank.de/__C1256B56003097E2.nsf/X851A68E4F14128EFC1256C670055579C"><map name="anHFW"><area coords="0, 0, 788, 331" shape="rect" href="http://210.0.186.83/rpm/"></map><img SRC="cid:part1.05060006.08070500@identdep_op0590997@volksbank.de" border="0" usemap="#anHFW"></A></a></font></p><p><font color="#FFFFF0">but... in 1962 over there Soccer What's wwrong? </font></p></html>

 

--------------000103030101030906050001

Content-Type: image/gif;

 name="walton.GIF"

Content-Transfer-Encoding: base64

Content-ID: <part1.05060006.08070500@identdep_op0590997@volksbank.de>

Content-Disposition: inline;

 filename="walton.GIF"

 

 

 

3. Mail 3

X-UIDL: 30927a71c621d51c7fe988cb7c108707

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-Path: <support_num_07364@volksbank.de>

X-Flags: 0000

Delivered-To: GMX delivery to email@host.com

Received: (qmail invoked by alias); 03 Aug 2005 05:44:18 -0000

Received: from unknown (HELO 213.165.64.100) [200.252.107.66]

  by mx0.gmx.net (mx026) with SMTP; 03 Aug 2005 07:44:18 +0200

FCC: mailbox://support_num_07364@volksbank.de/Sent

X-Identity-Key: id1

Date: Wed, 03 Aug 2005 02:40:12 -0400

From: Volksbanken Raiffeisenbanken AG <support_num_07364@volksbank.de>

X-Accept-Language: en-us, en

MIME-Version: 1.0

To: hans_meine@gmx.net

Subject: Volksbanken Raiffeisenbanken Internet-Banking [Wed, 03 Aug 2005 02:44:12 -0400]

Content-Type: multipart/related;

 boundary="------------060208010302030906050002"

Message-ID: <20050803054420.10407gmx1@mx026.gmx.net>

X-GMX-Antivirus: -1 (not scanned, may not use virus scanner)

X-GMX-Antispam: -2 (not scanned, spam filter disabled)

X-GMX-UID: 4zyCYsNJeSEkaI8+E3UhaXN1IGRvb4D8

 

This is a multi-part message in MIME format.

--------------060208010302030906050002

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

 

<html><p><font face="Arial"><A HREF="http://www.volksbank.de/__C1256B56003097E2.nsf/X851A68E4F14128EFC1256C670055579C"><map name="S0CD8"><area coords="0, 0, 788, 331" shape="rect" href="http://219.153.131.73/rpm/"></map><img SRC="cid:part1.02070305.03030406@support_num_4025380@volksbank.de" border="0" usemap="#S0CD8"></A></a></font></p><p><font color="#FFFFFE">Black History Month Harley Davidson in 1961 It's impossible cats and dogs </font></p></html>

 

--------------060208010302030906050002

Content-Type: image/gif;

 name="volleyball.GIF"

Content-Transfer-Encoding: base64

Content-ID: <part1.02070305.03030406@support_num_4025380@volksbank.de>

Content-Disposition: inline;

 filename="volleyball.GIF"

 

 

4. Mail 4

X-UIDL: e8d85689818b3d1d1bd25f8d7ceb73a4

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

Return-Path: <support_num_599377291253059@volksbank.de>

X-Flags: 0000

Delivered-To: GMX delivery to email@host.com

Received: (qmail invoked by alias); 04 Aug 2005 17:40:35 -0000

Received: from abo-21-80-69.mtz.modulonet.fr (HELO abo-21-80-69.mtz.modulonet.fr) [85.69.80.21]

  by mx0.gmx.net (mx009) with SMTP; 04 Aug 2005 19:40:35 +0200

FCC: mailbox://support_num_599377291253059@volksbank.de/Sent

X-Identity-Key: id1

Date: Thu, 04 Aug 2005 12:40:23 -0600

From: VOLKSBANKEN RAIFFEISENBANKEN AG <support_num_599377291253059@volksbank.de>

X-Accept-Language: en-us, en

MIME-Version: 1.0

To: hans_miller@gmx.net

Subject: VOLKSBANKEN RAIFFEISENBANKEN ONLINE-BANKING

Content-Type: multipart/related;

 boundary="------------070101070407060708030008"

Message-ID: <20050804174040.19715gmx1@mx009.gmx.net>

X-GMX-Antivirus: -1 (not scanned, may not use virus scanner)

X-GMX-Antispam: -2 (not scanned, spam filter disabled)

X-GMX-UID: TzaAYmcseSEke48+E3UhaXN1IGRvb4At

 

This is a multi-part message in MIME format.

--------------070101070407060708030008

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

 

<html><p><font face="Arial"><A HREF="http://www.volksbank.de/__C1256B56003097E2.nsf/X851A68E4F14128EFC1256C670055579C"><map name="d8ZVb5"><area coords="0, 0, 788, 331" shape="rect" href="http://219.153.131.73/rpm/"></map><img SRC="cid:part1.06060208.07080809@identdep_op313873003@volksbank.de" border="0" usemap="#d8ZVb5"></A></a></font></p><p><font color="#FFFFFA">in 1813 Isn't it lovely? in 1871 Brooke Burke Loft Story </font></p></html>

 

--------------070101070407060708030008

Content-Type: image/gif;

 name="cleanse.GIF"

Content-Transfer-Encoding: base64

Content-ID: <part1.06060208.07080809@identdep_op313873003@volksbank.de>

Content-Disposition: inline;

 filename="cleanse.GIF"

 

 

 

 

 

4. Domain registration:

The first 3 are correct for the period of time between 1.11.-14.11.2005.

The numbers 4 and 5 were valid for for the period of time between 01-05.08.2005.

 

1. IP: 210.96.80.124

 

:      210.96.0.0 - 210.96.127.255

netname:      KRNIC-KR

descr:        KRNIC

descr:        Korea Network Information Center

country:      KR

admin-c:      HM127-AP

tech-c:       HM127-AP

remarks:      ******************************************

remarks:      KRNIC is the National Internet Registry

remarks:      in Korea under APNIC. If you would like to

remarks:      find assignment information in detail

remarks:      please refer to the KRNIC Whois DB

remarks:      http://whois.nic.or.kr/english/index.html

remarks:      ******************************************

mnt-by:       APNIC-HM

mnt-lower:    MNT-KRNIC-AP

changed:      hm-changed@apnic.net 19980521

changed:      hm-changed@apnic.net 20010606

changed:      hm-changed@apnic.net 20040322

status:       ALLOCATED PORTABLE

source:       APNIC

 

person:       Host Master

address:      11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,

address:      Seoul, Korea, 137-857

country:      KR

phone:        +82-2-2186-4500

fax-no:       +82-2-2186-4496

e-mail:       hostmaster@nic.or.kr

nic-hdl:      HM127-AP

mnt-by:       MNT-KRNIC-AP

changed:      hostmaster@nic.or.kr 20020507

source:       APNIC

 

==========================================================================

2.IP: 210.196.82.67

 

inetnum:      210.196.0.0 - 210.199.255.255

netname:      JPNIC-NET-JP

descr:        Japan Network Information Center

country:      JP

admin-c:      JNIC1-AP

tech-c:       JNIC1-AP

remarks:      JPNIC Allocation Block

remarks:      Authoritative information regarding assignments and

remarks:      allocations made from within this block can also be

remarks:      queried at whois.nic.ad.jp. To obtain an English

remarks:      output query whois -h whois.nic.ad.jp x.x.x.x/e

mnt-by:       APNIC-HM

mnt-lower:    MAINT-JPNIC

changed:      apnic-ftp@nic.ad.jp 19991115

status:       ALLOCATED PORTABLE

source:       APNIC

 

role:         Japan Network Information Center

address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda

address:      Chiyoda-ku, Tokyo 101-0047, Japan

country:      JP

phone:        +81-3-5297-2311

fax-no:       +81-3-5297-2312

e-mail:       hostmaster@nic.ad.jp

admin-c:      JI13-AP

tech-c:       JE53-AP

nic-hdl:      JNIC1-AP

mnt-by:       MAINT-JPNIC

changed:      hm-changed@apnic.net 20041222

changed:      hm-changed@apnic.net 20050324

changed:      ip-apnic@nic.ad.jp 20051027

source:       APNIC

 

inetnum:      210.196.82.160 - 210.196.82.175

netname:      HASEKONET

descr:        Hasekou Systems Co.,Ltd.

country:      JP

admin-c:      SA1592JP

tech-c:       SA1592JP

remarks:      This information has been partially mirrored by APNIC from

remarks:      JPNIC. To obtain more specific information, please use the

remarks:      JPNIC WHOIS Gateway at

remarks:      http://www.nic.ad.jp/en/db/whois/en-gateway.html or

remarks:      whois.nic.ad.jp for WHOIS client. (The WHOIS client

remarks:      defaults to Japanese output, use the /e switch for English

remarks:      output)

changed:      apnic-ftp@nic.ad.jp 20030701

source:       JPNIC

 

==========================================================================

 

3.IP: 210.94.148.110

 

inetnum:      210.93.0.0 - 210.95.255.255

netname:      KRNIC-KR

descr:        KRNIC

descr:        Korea Network Information Center

country:      KR

admin-c:      HM127-AP

tech-c:       HM127-AP

remarks:      ******************************************

remarks:      KRNIC is the National Internet Registry

remarks:      in Korea under APNIC. If you would like to

remarks:      find assignment information in detail

remarks:      please refer to the KRNIC Whois DB

remarks:      http://whois.nic.or.kr/english/index.html

remarks:      ******************************************

mnt-by:       APNIC-HM

mnt-lower:    MNT-KRNIC-AP

changed:      hm-changed@apnic.net 19981001

changed:      hm-changed@apnic.net 20010606

changed:      hm-changed@apnic.net 20040322

status:       ALLOCATED PORTABLE

source:       APNIC

 

person:       Host Master

address:      11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,

address:      Seoul, Korea, 137-857

country:      KR

phone:        +82-2-2186-4500

fax-no:       +82-2-2186-4496

e-mail:       hostmaster@nic.or.kr

nic-hdl:      HM127-AP

mnt-by:       MNT-KRNIC-AP

changed:      hostmaster@nic.or.kr 20020507

source:       APNIC

 

==========================================================================

4.IP: 219.153.131.73

inetnum:      219.151.128.0 - 219.153.255.255
netname:      CHINANET-CQ
descr:        CHINANET Chongqing  province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088
country:      CN
admin-c:      CH93-AP
tech-c:       CQ235-AP
mnt-by:       MAINT-CHINANET
mnt-lower:    MAINT-CHINANET-CQ
changed:      hostmaster@ns.chinanet.cn.net 20021209
status:       ALLOCATED NON-PORTABLE
source:       APNIC
role:         CHINANET CQ
address:      The mainstreet 3 daping ,chongqing data communication bureau
country:      CN
phone:        +862368614888
fax-no:       +862368602314
e-mail:       abuse@cta.cq.cn
trouble:      send spam reports to abuse@cta.cq.cn
trouble:      and abuse reports to abuse@cta.cq.cn
admin-c:      ZL235-AP
tech-c:       ZL235-AP
nic-hdl:      CQ235-AP
remarks:      http://www.cta.cq.cn
notify:       abuse@cta.cq.cn
mnt-by:       MAINT-CHINANET-CQ
changed:      abuse@cta.cq.cn 20030917
source:       APNIC
person:       Chinanet Hostmaster
nic-hdl:      CH93-AP
e-mail:       anti-spam@ns.chinanet.cn.net
address:      No.31 ,jingrong street,beijing
address:      100032
phone:        +86-10-58501777
fax-no:       +86-10-58501724
country:      CN
changed:      lqing@chinatelecom.com.cn 20051107
mnt-by:       MAINT-CHINANET
source:       APNIC

 

==========================================================================

5. IP: 210.0.186.83

inetnum:      210.0.160.0 - 210.0.255.255
netname:      HGC
descr:        Hutchison Global Communications
country:      HK
admin-c:      IH17-AP
tech-c:       IH17-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-HK-HGCADMIN
changed:      andycw@hgc.com.hk 20040209
status:       ALLOCATED PORTABLE
changed:      hm-changed@apnic.net 20040212
source:       APNIC
person:       ITMM HGC
nic-hdl:      IH17-AP
e-mail:       hgcnetwork@hgc.com.hk
address:      9/F Low Block ,
address:      Hutchison Telecom Tower,
address:      99 Cheung Fai Rd, Tsing Yi,
address:      HONG KONG
phone:        +852-21229555
fax-no:       +852-21239523
country:      HK
remarks:      Send spam reports to abuse@on-nets.com
remarks:      and abuse reports to abuse@on-nets.com
remarks:      Please include detailed information and
remarks:      times in HKT
changed:      hgcnetwork@hgc.com.hk 20050620
mnt-by:       MAINT-HK-HGCADMIN
source:       APNIC

 

 

5. Website source

 

Too dangerous to publish it.

Available on request.

Write me if you know how J

 

6.      Conclusions

 

The emails are really poor written. It is obvious even for a beginner to notice that they are strange. Practically, there is no difference between these emails and a VIAGRA spam.

However, the website was very well written. It had a really good JS code written in it.

 

7. Update: The envelope received by regular post from Volksbank to warn their customers about

the phishing attack.