Tuesday, May 29, 2007

Phishing email

I recently received a phishing message that looked like this:
Dear National City business client:

The National City Corporate Customer Service requests you to complete the National City Business Online Client Form.

This procedure is obligatory for all business and corporate clients of National City.

Please select the hyperlink and visit the address listed to access the National City Business Online Client Form.


Again, thank you for choosing National City for your business needs. We look forward to working with you.

***** Please do not respond to this email *****

This mail is generated by an automated service.
Replies to this mail are not read by National City Corporate Customer Service or technical support.


Of course, the actual link points to http://session-9681849.nationalcity.com.userpro.tw/corporate/

The site 'userpro.tw' is being used for malicious purposes. The other hidden component of this message was below the dashed line, "hidden" by setting the font to white: (or near white -- FFFFF3, FFFFF6 and FFFFFF were used)
interface: 0x36, 0x1, 0x63, 0x6256, 0x988, 0x2572, 0x80, 0x7637, 0x57264282 end, SGK, include, B870, K8H, WV5O, UK5, create. 0x6, 0x8549, 0x119, 0x8820, 0x402, 0x81, 0x31 8XU: 0x873, 0x5224, 0x2, 0x2, 0x9, 0x8, 0x080, 0x515, 0x43, 0x96767749, 0x88, 0x340, 0x25 0x2, 0x49725777, 0x56099999, 0x29944557, 0x7245, 0x725 M06D: 0x02484306, 0x7392, 0x33, 0x538, 0x525, 0x67920133, 0x3282 XLM: 0x4 2PEU: 0x014, 0x48384334, 0x1, 0x1, 0x11505955, 0x9691, 0x63, 0x189, 0x85388483, 0x113, 0x81125589, 0x0528 0x081PZ: 0x10, 0x7513, 0x410, 0x0375, 0x134, 0x5 CRA: 0x16, 0x58937392, 0x181, 0x27551688, 0x026, 0x5300, 0x45, 0x427, 0x41491833, 0x43275927, 0x9, 0x2, 0x7, 0x462 0x33, 0x0589, 0x771, 0x69, 0x3, 0x96524563, 0x588, 0x8388, 0x3, 0x17, 0x8769, 0x137, 0x4, 0x2211, 0x30 engine KMY9 engine stack: 0x0016 tmp: 0x43286114, 0x88, 0x04, 0x2, 0x095, 0x65, 0x79461383, 0x18078378, 0x65882286, 0x1, 0x6, 0x06 CHA start: 0x3520, 0x1064, 0x69, 0x047, 0x214, 0x062, 0x678, 0x227 0x91708961, 0x0625, 0x2, 0x0, 0x278, 0x2, 0x0, 0x7, 0x09339745 2TWO: 0x14, 0x1, 0x90402223, 0x572, 0x1980, 0x4, 0x9, 0x6377, 0x6914, 0x43462100, 0x848, 0x26 Q8BE: 0x37865183, 0x11, 0x06, 0x2, 0x2132, 0x3, 0x70656885, 0x3758 HKU: 0x1114, 0x1914, 0x2, 0x45, 0x263 0x4, 0x3930, 0x3, 0x4, 0x3, 0x4, 0x0, 0x79365666, 0x4856, 0x57, 0x0, 0x77, 0x4, 0x10401843, 0x6317 0x11658786, 0x0, 0x5 YTIZ, Z5JV, WOJ, api, create0x14424486, 0x17907803, 0x590, 0x13855537 0x591, 0x6, 0x22, 0x2126, 0x81675440, 0x67351277, 0x6, 0x1 serv: 0x36026386, 0x6, 0x7, 0x772, 0x64, 0x8180, 0x9701, 0x50750989, 0x7, 0x9, 0x87, 0x3058, 0x5, 0x263, 0x23 7Z1 common KXLL hex 0x0071, 0x63
I'm curious about the code: do you think the hex was used to defeat Bayesian SPAM filters, a programming mistake by the Phisher or something else?

No comments: