Janet (j4) wrote,
Janet
j4

  • Mood:

I don't like spam!

... but by and large I just shrug and delete it, even though recently the sheer volume of the stuff has been truly incredible.

But today, on a whim, I went to look at the website for one of those Natwest scams. The mail claimed to be from support@natwest.com, and the text of the message was as follows:

Dear Valued Customer,

- Our new security system will help you to avoid frequently fraud transactions and to keep your investments in safety.

- Due to technical update we recommend you to reactivate your account.

Click on the link below to login and begin using your updated NatWest account.

To log into your account, please visit the NatWest Online Banking https://www.nwolb.com/

If you have questions about your online statement, please send us a Bank Mail or call us at 0846 600 2323 (outside the UK dial +44 247 686 2063).

We appreciate your business. It's truly our pleasure to serve you.

NatWest Customer Care

This email is for notification only. To contact us, please log into your account and send a Bank Mail.


Now, to me it's perfectly obvious that this isn't kosher. For one thing, the peculiar translationese ("will help you to avoid frequently fraud transactions and to keep your investments in safety"?) isn't at all what I'd expect from an official Natwest email. For another thing, I've never heard of a "Bank Mail"; it sounds like a scammy invention. (I'm sure people will now tell me that it's a perfectly legit term and has a very specific meaning!) But the real clincher is that I haven't had an account with Natwest for over 7 years now.

Nonetheless, I went to have a look at the site out of curiosity, and it's really quite impressive -- the site pointed to in the email looks just like the Natwest online banking login page. And indeed, https://www.nwolb.com/ is the Natwest OB page. So, as the TV show asks, "How do they do that?"

Well, that's when sion_a pointed me at the source:

To log into your account, please visit the NatWest Online Banking
https://www.nwolb.com/

Weird linebreak, yeah, but so what? Well, after that "nwolb.com" comes an eternity of whitespace, followed by this:
:UserSession=2f4d0zzz899amaiioiiabv5589955&userrstste=SecurityUpdate&StateLevel=CameFrom@64.174.108.131/

Ah-HA. Suddenly it becomes a lot clearer (not that I know exactly what they're doing, but at least it tells me how one page can be a stinking great bear-trap and another apparently-identical page can be the genuine article).

This is a really, really dirty trick. I can't help but be impressed at the deviousness, but at the same time it's horrifying to think of how many people are likely to be taken in by this kind of thing. Oh, I know, it's probably old news by now (and indeed the IP address in the clever-hacky-stuff above is unpingable, suggesting that this one's already been nailed) but it's still a scary thought -- not least because even if this particular scam has been stopped, there's nothing to stop other people doing the same thing again, only more cleverly. And even without the added cleverness, there will always be new people to fall for the same old tricks...
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 19 comments