Phishing ABNAMRO.nl style? Or not? Header spoofing!

So here’s ABNAMRO in my junk box on the same day as ING. I’m not a customer of ABNAMRO, but I’m invited to click on a link and fill in banking details any way. Something’s obviously wrong. So I looked up Whois data of the mentioned domain name of the sender of the message. It all looks like totally normal (see below 3) and as it is supposed to be. I did not go on clicking on the link in message itself (below 1). That might have given away more on the domain name and/or IP address behind the link. What is going on here?

First you see the message. The language is Dutch and at first glance it looks good too. On close reading there are to many mistakes. So time to search deeper. I looked at the header information by right clicking on the message in Hotmail. Wait, here’s a hint! You have to combine two sources: The IP address in the header of the message and the Whois data of ABNAMRO’s IP address. ABNAMRO.nl is hosted at this IP address 167.202.214.30, the sender of this e-mail is hosted at or used services from 103.13.120.151 (bold in below 2). The latter IP Address is registered at:

103.13.120.151 Whois
Whois Server

whois.apnic.net
Status

ALLOCATED
Contact Email

Beware, we have just left the Netherlands and moved to Malaysia. ABNAMRO.nl is registered in the Netherlands and hosted there on servers of ABNAMRO itself, wasn’t it? So why would the bank use another hosting company? I did not search further with APNIC to see who registered or uses the IP address starting with 103.. Whoever it is, it will be bogus 99 times out of 100 or more. What happened here is that the sender falsified the header of the e-mail sent to me, pretending to be ABNAMRO. This is called spoofing. So we have a spoofed header. Scaringly close to the truth, right? Explain this to anyone not knowing how to look for headers and doesn’t even know what they are.

Isn’t this spoofing capability of e-mail programs a feature the world could do without? Can we get rid off it? That would make a lot of difference in making the internet a little safer. What was the motivation behind this feature anyway? Freedom of speech? Or for jokes? Time to make an end to it in 2012. Freedom of speech can be secured in better ways than this.

So I received two phishing e-mails in one day, slipping through filters but in my junk box, phishing for customers of two major Dutch banks. How many people were fooled just today? And at what cost? And we really can’t stop this? Below you find the details of this phishing attack. Hope this helps.

1) The message text

Geachte klant,

Voor u als klant is er overigens weinig veranderd. Echter achter de schermen hebben wij een totaal nieuwe internetapplicatie geprogrammeerd die aan de hedenhaagse veiligheideisen voldoet conforn de Europeese richtlijnen betreft het betalingsverkeer. De browser voldoet niet aan de systeemeisen van ABN AMRO Internet Bankieren.

Bij een verbetering (update) van ons online veiligheidssysteem hebben wij geconstateerd dat uw rekening een foutmelding geeft met als code ASV-317.

Bekijk het overzicht van de besturingssysteem en browsers die ABN AMRO adviseert te gebruiken. Zie onderstaande link.
Vul het formulier in en log in op uw account. Zodra u bent ingelogd, kunnen we het proces starten en in behandeling nemen. U krijgt dan binnen 7 dagen een geautomatieseerde bevestiging per e-mail.

>> Formulier/ontheffen <<

handtekening-annemarie-rosebeek.gif
2012 Copyright © ABN Amro N.V

2) The header info

x-store-info:4r51+eLowCe79NzwdU2kRwMf1FfZT+JroIuFAV4dPLL4N59hs1WSFm8qwNxV1JS68ZZnfgDeykNNy5hwXmUNQiLBfn6r6btoFHaEiZNjBIAcyjwobZv8yOOI8SRaISmuXszLQmh5QLc=
Authentication-Results: hotmail.com; sender-id=neutral (sender IP is 103.13.120.151) header.from=noreply@abnamro.nl; dkim=none header.d=abnamro.nl; x-hmca=none
X-SID-PRA: noreply@abnamro.nl
X-SID-Result: Neutral
X-DKIM-Result: None
X-AUTH-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 11chDOWqoTlDH6QlznwMAm4VGjqSk7WLD/vZz7zHnbd3dJWI9H3Y3YQulc1npkvaOKvxoqT3LA9M0BLgpP03ByKF0EceqKDmrl2zfSQMrVqen+RKUhlF+5vIfbgVJQpfOGuMuLVq8bg=
Received: from ko3.localdomain ([103.13.120.151]) by SNT0-MC1-F37.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Sun, 7 Oct 2012 06:53:37 -0700
Received: from [5.254.138.163] (port=57077 helo=74.63.120.4)
by ko3.localdomain with esmtpa (Exim 4.80)
(envelope-from )
id 1TKrIF-00031h-27; Sun, 07 Oct 2012 15:53:20 +0200
Message-ID:
From: “ABN Amro Bank”
Subject: Formulier ontheffen
Date: Sun, 7 Oct 2012 06:52:15 -0700

3. ABN Whois

Abnamro.nl website research report available below. Detailed information includes the server IP Address is 167.202.214.30 and Abnamro.nl resides on ABN*AMRO Services Co. in Netherlands.

The official title of Abnamro.nl is: Particuliere klanten – ABN AMRO – de Bank Anno Nu

Feel free to comment on this Abnamro website report using Facebook below!
Abnamro.nl Whois
Registrar

Melbourne IT DBS Benoordenhoutseweg 23 2596BA ‘S-GRAVENHAGE Netherlands
Status

active
Nameservers

phobos22.abnamro.nl
phobos21.abnamro.nl

167.202.214.30 IP address location & more:
IP address [?]: 167.202.214.30 Copy [Whois] [Reverse IP]
IP country code: NL
IP address country: ip address flag Netherlands
IP address state: n/a
IP address city: n/a
IP address latitude: 52.5000
IP address longitude: 5.7500
ISP of this IP [?]: ABN*AMRO Services Co.
Organization: ABN*AMRO Services Co.

Wout de Natris, De Natris Consult

Haarlem, 7 October 2012

Advertisements

About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Cyber crime, International cooperation: IP resources, Internet governance, spam and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s