Suspicious email from Ulster Bank

rawn · 06-06-2014 12:44pm #1

I just received this email (attached) directly to my inbox, not junk mail. I was immediately suspicious as there is no message facility on the UB site as far as I know. I checked and it is from info@ulsterbank.com which seems legit. I was curious, so I clicked on the account login button. This brought me to a phishing site that looked exactly like the UB online banking login screen, which usually asks you for 3 characters from your PIN and 3 characters from your Online Banking code, except it asked me for my full login code. I reported it as a phishing scam through outlook, just want to spread the warning as it looked genuine and I can see people being fooled by it.

Spear · 06-06-2014 1:13pm

Post the headers at least.

rawn · 06-06-2014 1:20pm

That was the entire email. I was gonna post screenshots from the "login" page but my browser has it marked as a phishing site so I can't see it. I could see it on my phone though. (Thanks for nothing AVG Mobile)

tricky D · 06-06-2014 1:27pm

The from line can be easily forged or spoofed. The clues as to which server the mail really comes from are in the header.

I wouldn't even click into the phishing site, it could be booby-trapped. Ie. don't get curious.

rawn · 06-06-2014 1:31pm

Another screenshot

Spear · 06-06-2014 1:43pm

Those are pretty much meaningless. We need to see the source and headers.

Professey Chin · 06-06-2014 1:48pm

We've been getting loads of spoofed similar bank of Ireland ones this week. Some with just logos, others with an attached html form requesting account numbers and pins

rawn · 06-06-2014 2:04pm

Spear wrote: »

Those are pretty much meaningless. We need to see the source and headers.

Emmm... where do I find them? Scuze the noob :P

Spear · 06-06-2014 2:07pm

If it's in Gmail, use the view original option. Otherwise it'll vary by client/interface.

mack81 · 06-06-2014 2:13pm

rawn wrote: »

Emmm... where do I find them? Scuze the noob :P

-Open the email in Hotmail. (it looks like hotmail from your screenshot)
-Click the down arrow next to Categories (thats where it is in mine anyway) in the message's header area near the sender and subject.
-Pick View message source from the menu.

Actually looking at it its not a down arrow its 3 dots ...

techdiver · 06-06-2014 2:21pm

I would be 99.9% sure this is a phishing scam.

I would never follow a link from an email to a login for a financial institution.

You will also easily see that the actual url they wish you to go to is not the url on the bank in question. the develop clone pages of the login form and you are then basically supplying these individuals with your login credentials for you bank account.

rawn · 06-06-2014 2:25pm

mack81 wrote: »

-Open the email in Hotmail. (it looks like hotmail from your screenshot)
-Click the down arrow next to Categories (thats where it is in mine anyway) in the message's header area near the sender and subject.
-Pick View message source from the menu.

Actually looking at it its not a down arrow its 3 dots ...

Thanks mack, this is what I got when I clicked view source:

x-store-info:eER+dkW9LbRZeSaTfrbsKbNwYWGSG1yylBVqBKWR43I= Authentication-Results: hotmail.com; spf=none (sender IP is 210.50.76.229) smtp.mailfrom=info@ulsterbank.com; dkim=none header.d=ulsterbank.com; x-hmca=none header.id=info@ulsterbank.com X-SID-PRA: info@ulsterbank.com X-AUTH-Result: NONE X-SID-Result: NONE X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0xO1NDTD00 X-Message-Info: KpY9G9jQeOFCmxtHus1DqcaBQ5q6FGU6aVjpmdkKvmbCzf3MA2Do3MkT3+CxJdNr7lCzzKDO5Tg1jCczZ7rWM0zWvMsoIF5zW7F3cc1+dh0XJG/mZyQBzaf9XIncINPK6MGCvIFxIAcz31MmuN025prsqG7inniFPibjPb20ZdaN6K1z37yjkRwCUu5c7xqs4Zs0wexwrnASTHAuWcreTxlmvpOZ6c4E Received: from mail06.syd.iprimus.net.au ([210.50.76.229]) by BAY004-MC5F25.hotmail.com with Microsoft SMTPSVC(7.5.7601.22678); Fri, 6 Jun 2014 03:59:46 -0700 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AnGcAMKekVPTGgqd/2dsb2JhbABDBgEPgWwEAVVHHzMFUYs5okABjkwBh1wCA2AXdYN7BBwBNhNaCgIHIYEDhScHJoFmZQ6cJgEBgWmBOwGDNgKFWwGKLhCUAAIBXYUMjX8BEWmCKg9BAySBFgSBLYhGhjSJbpNBgwRKKy+BAQkXgRs X-IPAS-Result: AnGcAMKekVPTGgqd/2dsb2JhbABDBgEPgWwEAVVHHzMFUYs5okABjkwBh1wCA2AXdYN7BBwBNhNaCgIHIYEDhScHJoFmZQ6cJgEBgWmBOwGDNgKFWwGKLhCUAAIBXYUMjX8BEWmCKg9BAySBFgSBLYhGhjSJbpNBgwRKKy+BAQkXgRs X-IronPort-AV: E=Sophos;i="4.98,988,1392123600"; d="scan'208,217";a="141356020" Received: from 157.001.dsl.qld.iprimus.net.au (HELO ulsterbank.com) ([211.26.10.157]) by smtp06.syd.iprimus.net.au with ESMTP; 06 Jun 2014 20:58:43 +1000 From: Ulster Bank<info@ulsterbank.com> Subject: You have (1) new secure message Date: 06 Jun 2014 20:58:48 +1000 Message-ID: <20140606205848.0C0416F17C99FF4F@ulsterbank.com> MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Bcc: Return-Path: info@ulsterbank.com X-OriginalArrivalTime: 06 Jun 2014 10:59:47.0117 (UTC) FILETIME=[6E266DD0:01CF8176] -<html> <head> <style type=3D"text/css"> BODY, TD {font-family: verdana,arial,helvetica,sans-serif;font-size:12px;col= or: #000000;} LI {line-height: 120%;} UL.ppsmallborder {margin:10px 5px 10px 20px;} LI.ppsmallborderli {margin:0px 0px 5px 0px;} UL.pp_narrow {margin:10px 5px 0px 40px;} hr.dotted {width: 100%; margin-top: 0px; margin-bottom: 0px; border-left:#ff= f; border-right: #fff; border-top: #fff; border-bottom: 2px dotted #ccc;} =2Epp_label {font-family: verdana,arial,helvetica,sans-serif;font-size:10px;fo= nt-weight: bold;color: #000000;} =2Epp_serifbig {font-family: serif;font-size: 20px;font-weight: bold;color:#00= 0000;} =2Epp_serif{font-family: serif;font-size: 16px;color: #000000;} =2Epp_sansserif{font-family: verdana,arial,helvetica,sans-serif; font-size:16p= x;color: #000000;} =2Epp_heading {font-family: verdana,arial,helvetica,sans-serif;font-size:18px;= font-weight: bold;color: #003366;}=09 =2Epp_subheadingeoa {font-family:verdana,arial,helvetica,sans-serif;font-size:= 15px;font-weight: bold;color: #000000;}=09 =2Epp_subheading {font-family: verdana,arial,helvetica,sans-serif;font-size:16= px;font-weight: bold;color: #003366;}=09 =2Epp_sidebartext {font-family: verdana,arial,helvetica,sans-serif;font-size: 11px;color: #003366;}=09 =2Epp_sidebartextbold {font-family:verdana,arial,helvetica,sans-serif;font-siz= e: 11px;font-weight: bold;color: #003366;}=09 =2Epp_footer {font-family: verdana,arial,helvetica,sans-serif;font-size:11px;c= olor: #aaaaaa;} =2Epp_button {font-size: 13px; font-family:verdana,arial,helvetica,sans-serif;= font-weight: 400; border-style:outset; color:#000000; background-color: #cccccc;} =2Epp_smaller {font-family: verdana,arial,helvetica,sans-serif;font-size:10px;= color: #000000;} =2Epp_smallersidebar {font-family:verdana,arial,helvetica,sans-serif;font-size= : 10px;color: #003366;} =2Eppem106 {font-weight: 700;} =2Estyle1 { color: #000033; font-weight: bold; } =2Estyle4 { color: #0066CC; font-weight: bold; font-size: 16px; } =2Estyle6 { color: #000000; font-size: 14px; } </style> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-1= "> <title>Notification</title> </head> <body bgcolor=3D"#ffffff"> <table width=3D"690" cellspacing=3D"0" cellpadding=3D"0" border=3D"0"> <tr> <td width=3D"633" height=3D"239"> <a href=3D"http://www.audrugdog.com/505.html"> <img border=3D"0" src=3D"https://www.ulsterbankanytimebanking.co.uk/brands= /UBN/images/logo_ulster_bank.gif" width=3D"285" height=3D"78"></a> <h2 style=3D"outline: 0px; font-size: 1.8em; vertical-align: baseline; col= or: rgb(0, 42, 102); font-weight: 500; display: block; text-align: center; f= ont-family: Arial, Helvetica, sans-serif; font-style: normal; font-variant: = normal; letter-spacing: normal; line-height: normal; orphans: auto; text-ind= ent: 0px; text-transform: none; white-space: normal; widows: auto; word-spac= ing: 0px; -webkit-text-stroke-width: 0px; border: 0px none; margin-left: 0px= ; margin-right: 0px; margin-top: 0px; margin-bottom: 20px; padding: 0px; bac= kground:"> Your Anytime Banking account has 1 new message.</h= 2> = =20 = <a href=3D"http://www.audrugdog.com/505.html"> <img border=3D"0" src=3D"http://www.ulsterbank.ie/images/personal-homepag= e/content/accountLogin.png" width=3D"154" height=3D"36"></a> =20=20=20=20=20=20=20=20=20=20 =20=20=20=20=20=20=20=20=20=20 (The=20 Message Center contains important information about your=20 account) =20=20=20=20=20=20=20=20=20=20=20=20=20 2014 Ulster Bank Ireland=20 Limited. A private company limited by shares, trading as Ulster=20 Bank, Ulster Bank Group and Banc Uladh. Registered in Republic of=20 Ireland. Registered No 25766. Registered Office: Ulster Bank Group=20 Centre, George’s Quay, Dublin 2. Member of The Royal Bank of=20 Scotland Group. Ulster Bank Ireland Limited is regulated by the=20 Central Bank of Ireland. Calls may be recorded.</td>=20=20=20 </tr> =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=09=09 </body>=20=20=20 </html>

bonzodog2 · 06-06-2014 2:38pm

Unusual to only have 1 Received header
210.50.76.229 is Australian IP
No Content-Type, User-Agent or X-Mailer headers
HTML only

Keep away!

Spear · 06-06-2014 2:40pm

rawn wrote: »

Thanks mack, this is what I got when I clicked view source:

x-store-info:eER+dkW9LbRZeSaTfrbsKbNwYWGSG1yylBVqBKWR43I=
Authentication-Results: hotmail.com; spf=none (sender IP is 210.50.76.229) smtp.mailfrom=info@ulsterbank.com; dkim=none header.d=ulsterbank.com; x-hmca=none header.id=info@ulsterbank.com X-SID-PRA: info@ulsterbank.com X-AUTH-Result: NONE X-SID-Result: NONE X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0xO1NDTD00 X-Message-Info: KpY9G9jQeOFCmxtHus1DqcaBQ5q6FGU6aVjpmdkKvmbCzf3MA2Do3MkT3+CxJdNr7lCzzKDO5Tg1jCczZ7rWM0zWvMsoIF5zW7F3cc1+dh0XJG/mZyQBzaf9XIncINPK6MGCvIFxIAcz31MmuN025prsqG7inniFPibjPb20ZdaN6K1z37yjkRwCUu5c7xqs4Zs0wexwrnASTHAuWcreTxlmvpOZ6c4E Received: from mail06.syd.iprimus.net.au ([210.50.76.229]) by BAY004-MC5F25.hotmail.com with Microsoft SMTPSVC(7.5.7601.22678);

Received: from 157.001.dsl.qld.iprimus.net.au (HELO ulsterbank.com) ([211.26.10.157]) by smtp06.syd.iprimus.net.au with ESMTP; 06 Jun 2014 20:58:43 +1000 From: Ulster Bank<info@ulsterbank.com> Subject: You have (1) new secure message Date: 06 Jun 2014 20:58:48 +1000 Message-ID: <20140606205848.0C0416F17C99FF4F@ulsterbank.com> MIME-Version: 1.0

Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Bcc: Return-Path: info@ulsterbank.com X-OriginalArrivalTime: 06 Jun 2014 10:59:47.0117 (UTC) FILETIME=[6E266DD0:01CF8176] -

<a href=3D"http://www.audrugdog.com/505.html"> <img border=3D"0"

src=3D"https://www.ulsterbankanytimebanking.co.uk/brands= /UBN/images/logo_ulster_bank.gif" width=3D"285" height=3D"78">

<a href=3D"http://www.audrugdog.com/505.html"> <img border=3D"0" src=3D"http://www.ulsterbank.ie/images/personal-homepag= e/content/accountLogin.png"

Some stuff cleaned out, and more pertinent parts in bold.

It came from an Australian Primus machine.

It uses some real stuff from the Ulsterbank site, but the other links go to the site www.audrugdog.com.

This is why the images don't show anything truthful about such emails, or why there should be a special hell for whoever thought HTML should be allowed in emails.

rawn · 06-06-2014 2:40pm

Haha, I did click into it out of stupidity curiosity. Ran AVG, Malwarebytes and SpyBot and came back clean. This time :cool:

techdiver · 06-06-2014 2:43pm

rawn wrote: »

Haha, I did click into it out of stupidity curiosity. Ran AVG, Malwarebytes and SpyBot and came back clean. This time :cool:

Phishing sites rarely come up on scans are they are like pop up shops (here today, gone tomorrow). What will always give them away is the url you end up going to also. It won't be Ulster Banks on-line banking address.

Suspicious email from Ulster Bank

Comments