Gingercat1.png Welcome to...
GingerCat Software
We make software for the Web the Macintosh and linux
(among other things!) We hope you enjoy our site

Blog | New Site
Was this Bank being robbed?

The other day at work I got yet another bit of spam. It was reputedly from a well known Australian bank. It required the user to logon and asked the "Dear Customer!" to re enter their account details for "verification / audit" purposes!

I realised it was spam the moment I opened it, and what also teed me off was the fact that in apple mail when I rested my cursor over the link to the "Verification page!" I could see a listed ip number instead of a related URL. If someone is using an ip number in a link then this is often an example of a very new company that hasn't got it's act together with regard DNS, or is someone who wants to conceal where or what they are doing.

Doing a whois in the terminal (in mac osX or Linux, or any nix for that matter) is a good way to work out where the data is coming from. Interestingly enough the ip address that this "verification link" pointed to was not a registered Australian address!

I then did a whois on the bank's ip address (yes it was an Australian ip address and the detail looked relevant!) I then tried to reach the banks home page via the web. I got a Site busy come back later type response! Had they shut the site down? Was it suffering a denial of service attack (DOS attack)?

I then tried to reach the ip address of the spammer! I couldn't get thru.

So I have to ask myself the question was this a bit of cyber terrorism going on before my very eyes? Was some one in the process or robbing the bank or robbing the customers? It didn't make national headlines the next day, but if a major Australian Bank (that does allow internet banking) can not keep its web site open at 3:30 pm you have to wonder what's going on.

One thing that may have been good was that the spamming site could not be accessed. But was this because of the intelligence of my isp? Someone at the AFP or an up stream isp blocking the address? Or was the spam site just being flooded via people who were updating their details for "Verification / Audit" reasons (and hence being ripped off?).

For what it was worth I did the decent thing, and took a screenshot of the offending spam (showing the ipnumber) and sent that information (with the whois lookup of the spam site) off to the technical reference persons email, that was listed in the bank's whois record.

Strangely enough I have not heard back from the bank!...



This link may also be of use
http://www.antiphishing.org/




© 2006 Steve Abrahall