One of the best phishing emails I've seen.

[ivol07]

I just got an email from "Wells Fargo" stating that I need to update my info. Looked fairly professional and real looking. I always like to go to the link just to see the page they set up. But this one stumped me for a few minutes. The URL was a Wells Fargo URL.

Can you figure it out?

Most likely you can, but I'll bet it got a lot of suckers.

 

[rh71]

I got that email. In the email text it was just coded to look like a WF URL but it pointed somewhere else.

Besides, a big company like WF wouldn't use PHP.

BTW: Philippines

 

[pyonir]

How do they put that over the URL? That's weird.

 

[calvinbiss]

banks are never supposed to ask for ATM pin

 

[MikeyIs4Dcats]

must not work in Firefox....I see a numerical address

 

[MercenaryForHire]

Not FDIC Insured ? No Bank Guarantee ? May Lose Value

- M4H

 

[calvinbiss]

Originally posted by: pyonir
How do they put that over the URL? That's weird.

it wasn't over it for me. The fake url came up under my google tool bar, looks all funky

 

[pyonir]

Originally posted by: calvinbiss

Originally posted by: pyonir
How do they put that over the URL? That's weird.

it wasn't over it for me. The fake url came up under my google tool bar, looks all funky

must depend on what you have set up for the tool bar area. It was a little off center for me as well, but covered it mostly.

 

[TitanDiddly]

Originally posted by: MikeyIs4Dcats
must not work in Firefox....I see a numerical address

Same here.

 

[MikeyIs4Dcats]

I see it now in IE, but yeah, it's below covering Google toolbar up. Lame.

 

[Homerboy]

Originally posted by: calvinbiss
banks are never supposed to ask for ATM pin

https://online.wellsfargo.com/?SIGNON_XCP=2501#Enroll

 

[rh71]

Originally posted by: PhasmatisNox

Originally posted by: MikeyIs4Dcats
must not work in Firefox....I see a numerical address

Same here.

It's numerical in IE too.

 

[pyonir]

Screenshot for those of you that don't see it.

 

[Heisenberg]

Originally posted by: MikeyIs4Dcats
must not work in Firefox....I see a numerical address

Yeah, me too with Mozilla.

 

[oneshot47]

I get the numerical address in opera.

 

[notfred]

Link is to: http://202.164.152.25:6180/login.html

How is that "Wells Fargo"?

 

[ttown]

I got to wondering the same thing about 6 months ago when I had my browser hijacked.

The URL said "all-search.com" (or something like that), but I did some netstat and tracert investigation and it turned out it was "global-finder.com".

The way it was done to me was the first part of the url was "global-finder", followed by (i think) a null + %20 + the fake URL.
So what shows up in the address bar is the fake part.

The whole URL string was obfuscated ("%blah%blah%blah....<null>%20%blah%blah%blah>") -- so it wasn't obvious to most people that "all-search.com" had nothing at all to do with the hijacking.
Just like how Wells Fargo has nothing to do with this.

The moral of the story: Never trust a link-- and never trust the words that appear in your address bar.

On the otherhand... it's pretty fun to spoof friends with that trick. I wrote a url obfuscator and then sent a link to a friend. By looking at the link, they saw "www.google.com;%20%blah%blah%blah" -- so they clicked on it -- but it actually sent them to my gag-site.
Oh, fun with technology.

 

[hevnsnt]

this is a VERY VERY VERY old IE exploit

 

[xXped0thugXx]

Originally posted by: MikeyIs4Dcats
must not work in Firefox....I see a numerical address

same with myie2