[nsp-sec] Amazon-based phishing site

Daniel Robert Adinolfi dra1 at cornell.edu
Wed Jan 12 14:05:42 EST 2011 

Folks,

We saw the following today.  The phishing link points to ec2-79-125-112-185.eu-west-1.compute.amazonaws.com.  If there are any contacts with Amazon on the list, please take note and take hostile action toward the site.

Full URL:
<http://ec2-79-125-112-185.eu-west-1.compute.amazonaws.com/secure/75834acc8790ubbcrqqo8787676a6758767c9870987098cd908ootc87560c2344563463cabb6587/index.html>

Thanks.

-Dan


_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 at cornell.edu   phone: 607-255-7657

_________________________________________________________________________



From: Bank of America Alert [mailto:customer_service at bankofamerica.com]
Sent: Wednesday, January 12, 2011 1:51 PM
Subject: Online Banking Has Been Locked?
Importance: High

[cid:~WRD000.jpg]


Dear Bank of America customer,

During our regularly scheduled account maintenance and verification procedu=
res, we have detected a slight error in your account information.

This might be due to either of the following reasons:

1. A recent change in your personal information ( i.e.change of address).
2. Submiting invalid information during the initial sign up process.
3. An inability to accurately verify your selected option of payment due to=
an internal error within our processors.

Due to this, we require you to confirm and verify your account information =
by clicking the link below:

Click here to start the confirmation process<http://ec2-79-125-112-185.eu-w=
est-1.compute.amazonaws.com/secure/75834acc8790ubbcrqqo8787676a6758767c9870=
987098cd908ootc87560c2344563463cabb6587/index.html>

If your account information is not confirmed and verified within a certain =
period of time then your ability to access
your account would become restricted.

Thank you

Bank of America Account Management Deptartment .

________________________________


Bank of America, N.A. Member FDIC. Equal Housing Lender[cid:image001.jpg at 01=
CBB260.F41718B0]
=A9 2010 Bank of America Corporation. All rights reserved.
Designated trademarks and brands are the property of their respective owner=
s.



--_000_D28A53B92F680B4DA618BC1710F646A52F2B936EC6MBXBexchangec_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1"><meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)"=
> <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p
	{mso-style-priority:99;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
	{mso-style-priority:99;
	mso-style-link:"Balloon Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:8.0pt;
	font-family:"Tahoma","sans-serif";}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.BalloonTextChar
	{mso-style-name:"Balloon Text Char";
	mso-style-priority:99;
	mso-style-link:"Balloon Text";
	font-family:"Tahoma","sans-serif";}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3D"EN-US" link=3D"blue"=
vlink=3D"purple"><div class=3D"WordSection1"><p class=3D"MsoNormal"><span =
style=3D"font-size:11.0pt;font-family:"Calibri","sans-serif&=
quot;;color:#1F497D"><I am reporting this email as phishing><o:p></o:=
p></span></p><p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-fa=
mily:"Calibri","sans-serif";color:#1F497D"><o:p> <=
/o:p></span></p><p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;f=
ont-family:"Tahoma","sans-serif"">From:</span></b><span=
style=3D"font-size:10.0pt;font-family:"Tahoma","sans-serif&=
quot;"> Bank of America Alert [mailto:customer_service at bankofamerica.com] <=
br><b>Sent:</b> Wednesday, January 12, 2011 1:51 PM<br><b>Subject:</b> Onli=
ne Banking Has Been Locked?<br><b>Importance:</b> High<o:p></o:p></span></p=
> <p class=3D"MsoNormal"><o:p> </o:p></p><table class=3D"MsoNormalTable=
" border=3D"0" cellspacing=3D"3" cellpadding=3D"0" width=3D"100%" style=3D"=
width:100.0%"><tr><td style=3D"padding:.75pt .75pt .75pt .75pt"><p class=3D=
"MsoNormal"><span style=3D"border:solid windowtext 1.0pt;padding:0in"><img =
width=3D"100" height=3D"100" id=3D"Picture_x0020_1" src=3D"cid:~WRD000.jpg"=
alt=3D"Description: Image removed by sender."></span><o:p></o:p></p></td><=
/tr></table><p>Dear Bank of America customer,<o:p></o:p></p><p>During our r=
egularly scheduled account maintenance and verification procedures, we have=
detected a slight error in your account information.<o:p></o:p></p><p>This=
might be due to either of the following reasons:<o:p></o:p></p><p><strong>=
1.</strong> A recent change in your personal information ( i.e.change of ad=
dress).<br><strong>2.</strong> Submiting invalid information during the ini=
tial sign up process.<br><strong>3.</strong> An inability to accurately ver=
ify your selected option of payment due to an internal error within our pro=
cessors.<o:p></o:p></p><p>Due to this, we require you to confirm and verify=
your account information by clicking the link below: <o:p></o:p></p><p><a =
href=3D"http://ec2-79-125-112-185.eu-west-1.compute.amazonaws.com/secure/75=
834acc8790ubbcrqqo8787676a6758767c9870987098cd908ootc87560c2344563463cabb65=
87/index.html">Click here to start the confirmation process</a><o:p></o:p><=
/p><p>If your account information is not confirmed and verified within a ce=
rtain period of time then your ability to access<br>your account would beco=
me restricted.<o:p></o:p></p><p>Thank you<o:p></o:p></p><p>Bank of America =
Account Management Deptartment .<o:p></o:p></p><table class=3D"MsoNormalTab=
le" border=3D"0" cellspacing=3D"0" cellpadding=3D"0" width=3D"600" style=3D=
"width:5.0in"><tr><td colspan=3D"2" style=3D"padding:0in 0in 0in 0in"><div =
class=3D"MsoNormal"><hr size=3D"3" width=3D"750" style=3D"width:6.25in" ali=
gn=3D"left"></div></td></tr><tr style=3D"height:18.6pt"><td width=3D"450" v=
align=3D"top" style=3D"width:3.75in;padding:0in 0in 0in 0in;height:18.6pt">=
<p style=3D"margin-bottom:12.0pt"><span style=3D"font-size:10.0pt">Bank of =
America, N.A. Member FDIC. Equal Housing Lender<span style=3D"border:solid =
windowtext 1.0pt;padding:0in"><img border=3D"0" width=3D"14" height=3D"9" i=
d=3D"Picture_x0020_3" src=3D"cid:image001.jpg at 01CBB260.F41718B0" alt=3D"Des=
cription: Image removed by sender. Equal Housing Lender"></span><br>=A9 201=
0 Bank of America Corporation. All rights reserved.</span><span style=3D"fo=
nt-size:7.5pt;font-family:"Arial","sans-serif""><br>Des=
ignated trademarks and brands are the property of their respective owners.<=
/span><o:p></o:p></p></td><td style=3D"padding:0in 0in 0in 0in;height:18.6p=
t"></td></tr></table><p class=3D"MsoNormal"><span style=3D"font-size:10.0pt=
;font-family:"Calibri","sans-serif""><o:p> </o:p><=
/span></p></div></body></html>=

--_000_D28A53B92F680B4DA618BC1710F646A52F2B936EC6MBXBexchangec_--

--_005_D28A53B92F680B4DA618BC1710F646A52F2B936EC6MBXBexchangec_
Content-Type: image/jpeg; name="~WRD000.jpg"
Content-Description: ~WRD000.jpg
Content-Disposition: inline; filename="~WRD000.jpg"; size=888;
	creation-date="Wed, 12 Jan 2011 08:59:01 GMT";
	modification-date="Wed, 12 Jan 2011 08:59:01 GMT"
Content-ID: <~WRD000.jpg>
Content-Transfer-Encoding: base64

/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0a
HBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIy
MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCABkAGQDASIA
AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA
AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3
ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm
p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA
AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx
BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK
U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+iii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA
CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigD//2Q==

--_005_D28A53B92F680B4DA618BC1710F646A52F2B936EC6MBXBexchangec_
Content-Type: image/jpeg; name="image001.jpg"
Content-Description: image001.jpg
Content-Disposition: inline; filename="image001.jpg"; size=400;
	creation-date="Wed, 12 Jan 2011 08:59:41 GMT";
	modification-date="Wed, 12 Jan 2011 08:59:41 GMT"
Content-ID: <image001.jpg at 01CBB260.F41718B0>
Content-Transfer-Encoding: base64

/9j/4AAQSkZJRgABAQEAeAB4AAD/2wBDAAoHBwkHBgoJCAkLCwoMDxkQDw4ODx4WFxIZJCAmJSMg
IyIoLTkwKCo2KyIjMkQyNjs9QEBAJjBGS0U+Sjk/QD3/wAALCAAJAA4BAREA/8QAHwAAAQUBAQEB
AQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1Fh
ByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZ
WmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXG
x8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/9oACAEBAAA/APZqKKK//9k=

--_005_D28A53B92F680B4DA618BC1710F646A52F2B936EC6MBXBexchangec_--

More information about the nsp-security mailing list