Phishing e-mails from Co-Operative Bank?

Over the last few days, we have seen a large volume of e-mails proclaiming to be from the Co-Operative Bank. They are asking their customers to confirm their banking details for a whole variety of reasons, most recently stating that there is a transfer pending which they are unable to receive until the user confirms their details by clicking on a link within the e-mail message.

To begin with, these e-mails came from a relatively believable address -  co-operative-system.coop-uk.co.uk – but then subsequent e-mails have arrived from - co-operativebank.co.uk – which is the legitimate domain for the bank.

These emails are 100% fraudulent, they are solely designed to trick the recipient into handing over sensitive banking details.
The fraudsters are then able to gain access to your online banking information.

 

If you receive one of these emails, do not respond in any way. Just delete the messages.
Banks do not contact their customers for personal account details via e-mail. If in doubt, call the bank to enquire about your account directly.

For a full technical analysis see below;

 

 

The initial giveaway that this is a fraudulent e-mail is if you examine the link you are being requested to click on. It claims to take you to the Co-Operative Bank’s website, instead, it takes you to http://beirutdiscounts.com which has been hijacked, but thankfully, as of this morning, displays an error message rather than capturing people’s details.

The e-mail originates from the IP address 122.62.112.4 which is located in New Zealand and I highly doubt therefore authorized to send messages on behalf of the Co-Operative Bank;

 

inetnum:        122.62.0.0 - 122.62.255.255

netname:        PLV-TELECOM-NZ

descr:          Telecom New Zealand Ltd

country:        NZ

admin-c:        IA42-AP

tech-c:         IA42-AP

notify:         nic@netgate.net.nz

mnt-by:         NZTELECOM

changed:        dbk1@netgate.net.nz 20090826

status:         ASSIGNED NON-PORTABLE

source:         APNIC

 

The most concerning factor of these phishing e-mails is that they claim to be from a legitimate Co-Operative Bank domain. But if we look at the Co-Operative Bank’s sender Policy Framework* (SPF) records then we get the following;

v=spf1 mx:cfs.co.uk a:apps.co-operativebank.co.uk a:applications.co-operativebank.co.uk include:foretelsystems.com –all

The final section tells the SPF checking to look for SPF records for fortelsystems.com and include those in the search. However, unfortunately, at this time, this domain has no SPF records. This means the verification of the Co-Operative Bank’s email’s security fails.
This is what has allowed the fraudsters to send these e-mails from their own domain.

What a sobering thought. A high street bank has failed in its duty to protect its customers.
A simple mistake to make, but it comes with serious consequences for its trusting customers.

 

*Sender Policy Framework (SPF) is a validation system for e-mail. It is able to detect fraudulent e-mails and checks that incoming messages are arriving from a valid domain authorized by that domain’s administrators.

BT Scam

Hot on the heels of this years round of scam e-mails purporting to be from the Inland Revenue and offering healthy refunds we've seen a new one today which pupports to be from BT.

This is a perfect example of phishing scams whereby scammers attempt to lure you into giving over your personal or preferably credit card details by playing the age of confidence trick and pretending to be someone that you trust

Here's a sample of the e-mail:

 

Looking at this it appears to come from ebilling@bt.com but looking at the headers tells us a completely different story....

This e-mail originated from an address in China and reached us via an compromised computer.

 

This type of scam is not new and it won't be the last time we see it.   If you are one of our customers and recieve a suspect message always forward it to us and we'll be more than happy to check it out for you otherwise play by these rules;

  1. Big companies like BT, banks, ebay etc will never e-mail you to ask for details - they will nag you when you next log safely into the site.
  2. Never trust the address that an e-mail purports to come from as this can be easily forged
  3. Before clicking a link in an e-mail hover over it and look at what address comes up - if it's not the address you are expecting then it's most likely a fraud.