Hex dump of Gibe-F worm.

Hacking the Human — Manitowoc Bank Scam

Background

The First National Bank in Manitowoc (in Wisconsin, USA) changed its name to Bank First National. And then the scams began.... Some hackers possibly based in the Seattle area took over a computer somewhere around Atlanta. They used the hijacked computer to send e-mail to many e-mail addresses, in the hopes that some would have accounts at what is now Bank First National, and that some of them would fall for the scam.

The scam starts by saying reasonable things about being careful about phishing scams! It then claims that they are going to launch a new security system, and please call a provided telephone number to enable it.

I called the number, it was still functioning. It asks you to key in your credit card number. I gave it an entirely bogus 16-digit number to see what would happen next, but after a very short pause the voice mail system told me that the number was invalid.

No, I had not bothered to generate the final digit with the Luhn algorithm used to validate credit card numbers:

  1. Starting at the rightmost digit (which is the check digit) and moving left, double the value of every other digit. For any digit that becomes 10 or more, add the two resulting digits. For example, 1111 becomes 2121, while 8763 becomes 7733. For the second one:
    3 -> 3
    6 x 2 = 12 -> 1 + 2 = 3
    7 -> 7
    8 x 2 = 16 -> 1 + 6 = 7
  2. Add all these digits together:
    1111 -> 2121 -> 2 + 1 + 2 + 1 = 6
    8763 -> 7733 -> 7 + 7 + 3 + 3 = 20
  3. If that total ends in 0, then the number is valid. If not, it is invalid.
    So, 1111 is invalid (the result is 6).
    But, 8763 is valid (the result is 20).

My random 16 digits failed this test, so I was asked to re-enter my credit card number more carefully.

Analysis of the Headers

Remember to read the Received entries from bottom to top.

  1. It started at a machine calling itself User and using IP address 64.22.73.144. That machine seems to have been running Microsoft Outlook Express 6.00.2600.0000.
  2. The message was then relayed by prodmail01.computercompany.net at IP address 65.215.45.11. That might be an appropriate mail relay for the hijacked computer, but I doubt it. According to whois:
    • The source 64.22.73.144 is in the IP block 64.22.64.0 - 64.22.127.255, which belongs to GNAXNET.
    • The relay 65.215.45.11 is in the IP block 65.192.0.0 - 65.223.255.255, which belongs to Verizon Business UUNET65 (NET-65-192-0-0-1). More specifically, the 65.215.45.0/24 subnet belongs to Bowhead Support Services UU-65-215-45-D7 (NET-65-215-45-0-1).
    According to traceroute:
    • The source 64.22.73.144 is in or near Atlanta.
    • The relay 65.215.45.11 is in Boston.
  3. It then hopped through three machines at my ISP: mxsf08.insightbb.com, mta4.manage.insightbb.com, and msb1.manage.insightbb.com.

See the items highlighted in yellow below for the network trace.

Analysis of the Message

The scammers spoofed the From address as service@bankfirstnational.com.

However, the scammers made some errors! The message itself seems to have been one designed to trick customers of the German American Bank. And, they can't spell "advantage" or "corporation"!

The telephone area code 425 is in Washington state, suburbs north and east of Seattle. According to the following resources, it's a residential landline:
www.whitepages.com/
www.reversephonedirectory.com/
switchboard.intelius.com/reverselookup.php
www.melissadata.com/lookups/phonelocation.asp

See the items highlighted in blue below for the human-hacking issues.

The Received Message

Below is the message precisely as I received it, except that I have broken the long lines of the message. Each paragraph was a single line of text in the original. And, I have changed ll to 11 in my e-mail address where it appears, to reduce the amount of spam I get caused by spammers scraping e-mail addresses from web pages.

This does not prevent people spamming for high-cost low-value "credit reports" from finding this page and insisting that I need to replace the consumer.gov URL with theirs.

From service@bankfirstnational.com Wed Oct 31 17:04:26 2007
Return-path: <service@bankfirstnational.com>
Received: from mta4.manage.insightcom.com ([172.31.249.158])
 by msb1.manage.insightcom.com
 (Sun Java System Messaging Server 6.2-6.01 (built Apr  3 2006))
 with ESMTP id <0JQS00GNWNV05RE0@msb1.manage.insightcom.com> for
 bob.cromwe11@insightbb.com; Wed, 31 Oct 2007 17:04:12 -0400 (EDT)
Received: from mxsf08.insightbb.com ([172.31.249.124])
 by mta4.manage.insightcom.com
 (Sun Java System Messaging Server 6.2-6.01 (built Apr  3 2006))
 with ESMTP id <0JQS001FLNUZFSF1@mta4.manage.insightcom.com> for
 bob.cromwe11@insightbb.com (ORCPT bob.cromwe11@insightbb.com); Wed,
 31 Oct 2007 17:04:12 -0400 (EDT)
Received: from mail.computercompany.net (HELO mxip00.insightbb.com)
 ([65.215.45.11]) by mxsf08.insightbb.com with ESMTP; Wed,
 31 Oct 2007 17:04:11 -0400
Received: from mail.computercompany.net (HELO prodmail01.computercompany.net)
 ([65.215.45.11]) by mxip00.insightbb.com with ESMTP; Wed,
 31 Oct 2007 17:04:10 -0400
Received: from User (unverified [64.22.73.144])
 by computercompany.net (Rockliffe SMTPRA 6.0.11)
 with ESMTP id <B0029996528@prodmail01.computercompany.net>; Wed,
 31 Oct 2007 17:06:34 -0400
Date: Wed, 31 Oct 2007 16:04:26 -0500
From: First National Bank in Manitowoc <service@bankfirstnational.com>
Subject: [SUSPECTED SPAM] Dear  Customer,
To: Undisclosed recipients: ;
Reply-to: a@insightbb.com
Message-id: <B0029996528@prodmail01.computercompany.net>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Content-type: text/plain;
  charset=Windows-1251
Content-transfer-encoding: 8BIT
X-Priority: 3
X-MSMail-priority: Normal
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Am+9APGKKEdB1y0LYWdsb2JhbACBVAaHOoVGFQQWARiBEwE
X-IronPort-AV: E=Sophos;i="4.21,352,1188792000";   d="scan'208";a="116744390"
Original-recipient: rfc822;bob.cromwe11@insightbb.com
Status: R
X-Status: NC
X-KMail-EncryptionState:  
X-KMail-SignatureState:  
X-KMail-MDN-Sent:  

Dear German American Bank Customer,

We regret to inform you that we have received numerous fraudulent emails
which ask for personal account information. The emails contained links
to fraudulent pages that looked legit. Please remember that we will never
ask for personal account information via email or web pages.

Because of this we are launching a new security system to make German
American Bank accounts more secure and safe. To take advatage of our
new consumer Identity Theft Protection Program we had to deactivate
access to your card account.    

To activate it please call us immediately at (425) 998-1190

Activation is free of charge and will take place as soon as you finish
the activation process.

If you think your identity has been stolen, here's what to do now:

1) Contact the fraud departments of any one of the three major credit
bureaus to place a fraud alert on your credit file. The fraud alert
requests creditors to contact you before opening any new accounts or
making any changes to your existing accounts. As soon as the credit
bureau confirms your fraud alert, the other two credit bureaus will
be automatically notified, and all three credit reports will be sent
to you free of charge.

2) Close accounts that you know or believe have been tampered with or
opened fraudulently. Use the ID Theft Affidavit (PDF) when disputing
new unauthorized accounts.

3) File a police report. Get a copy of the report to submit to your
creditors and others that may require proof of the crime.

4) File your complaint with the Federal Trade Commission (FTC).
The FTC maintains a database of identity theft cases used by law
enforcement agencies for investigations. Filing a complaint also
helps the FTC gather more information about identity theft and
the problems victims are having.

For more information, go to: http://www.consumer.gov/idtheft/. 


Please do not reply to this message. For any inquiries, contact
Customer Service.

THE GERMAN AMERICAN BANK CORPORARION - Copyright © 2007