Bry Melvin wrote:

>Thanks Kris and others for the warning...It can ALWAYS
>save someone some trouble.
>
>BUT:
>
>Due to the exploits available to hackers I would
>recommend these steps to avoid being
>compromised...even in eCS or OS/2
>
>1. cut and paste the header info etc or just save the
>email.
>
>2 CLOSE the browser
>The reason for this is that THIS type of situation
>with open browser windows is where you are vulnerable
>to phishing.
>
>3 IF you have the type of account in the message
>...check the account indepenedently  from a previously
>recorded address not the one on the email....
>
>IOW from a seperately opened browser with the browser
>window that you GOT the message in completely
>closed...NOT opening another window or tab to goto
>your account.
>
>
>I have tried putting some of these on the automated
>systems on ebay or paypal  (BTW paypal IS an ebay
>subsidiary) Often the headers and message are longer
>than the automated interface will accept.
>
>I have CALLED paypal  and talked to them and VERBALLY
>given them the originating address... When I have they
>have ALREADY had that one...and usually it is a spoof
>anyway.
>
>Just remember these companies DON'T send out notices
>this way.
>
>
>ALWAYS be cautious Even banks have screwy software
>etc...( watch the little lock in the corner)
>
>(I just STOPPED my daughter in law from banking online
>with her current account as I noticed that her login
>was NOT being done secure...IOW her name and password
>were being transmitted in the clear by the banks
>software....not surprising since they were one of the
>first her to use WIN2k)
>
>Bryann
>

Hi Bryann,

Having opened and examined [after saving source as ....] and analysed 
hundreds of these phishing scam e-mails and traced the IP diversion 
addresses, and hence originators, the following extract illustrates how 
a particular fake "CitiBank e-mail" was constructed:.

The content had an embedded URL which showed in the e-mail as 
"https://web.da-us.citibank.com/signin/scripts/login/user_setup.jsp" ONLY,
but was actually diverted to the encoded actual address and port that 
followed it:

Here's the diverted embedded URL:

hRef="">https://web.da-us.citibank.com/signin/scripts/login/user_setup.jsp">

name="FPMap0">">http://%32%31%37%2E%32%31%36%2E%32%31%31%2E%31%38%31:%38%37/%63%69%74/%69%6E%64%65%78%2E%68%74%6D">

SRC="cid:part1.00020309.08080504{at}identdep_op3696659713008{at}citibank.com" 
border="0"
usemap="#FPMap0">Virus Star Wars HotBot in 1926 Search Engines in 1881 
Zelda Wrong number Star Trek You are on... Claire Swire that's a go 
Cindy Margolis Links Lingerie First of all USA in 1844 Codes Gundam Wing 
I'd ruther not... ????? Colleges Martha Stewart rest of the 


decodes as :-

hRef="">https://web.da-us.citibank.com/signin/scripts/login/user_setup.jsp">

name="FPMap0">">http://217.216.211.181:87/cit/index.htm"> 
SRC="cid:part1.00020309.08080504{at}identdep_op3696659713008{at}citibank.com" 
border="0"
usemap="#FPMap0">Virus Star Wars HotBot in 1926 Search Engines in 1881 
Zelda Wrong number Star Trek You are on... Claire Swire that's a go 
Cindy Margolis Links Lingerie First of all USA in 1844 Codes Gundam Wing 
I'd ruther not... ????? Colleges Martha Stewart rest of the 


i.e. all the % become either numbers or letters in ASCII 
- the eventual destination of clicking on the URL in the e-mail.

HTH

-- 
Regards,
Mike

Failed the exam for
--------------------
MCSE - Minesweeper Consultant and Solitaire Expert
--------------------
[ISP blocks *.exe, *.cmd, *.com, *.bat, *.reg attachments]
[Please use zipped versions of above]



 
Yahoo! Groups Links

 To visit your group on the web, go to:
    http://groups.yahoo.com/group/os2user/

 To unsubscribe from this group, send an email to:
    os2user-unsubscribe{at}yahoogroups.com

 Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 




---