The First National Bank in Manitowoc (in Wisconsin, USA) changed its name to Bank First National. And then the scams began.... Some hackers possibly based in the Seattle area took over a computer somewhere around Atlanta. They used the hijacked computer to send e-mail to many e-mail addresses, in the hopes that some would have accounts at what is now Bank First National, and that some of them would fall for the scam.
The scam starts by saying reasonable things about being careful about phishing scams! It then claims that they are going to launch a new security system, and please call a provided telephone number to enable it.
I called the number, it was still functioning. It asks you to key in your credit card number. I gave it an entirely bogus 16-digit number to see what would happen next, but after a very short pause the voice mail system told me that the number was invalid.
No, I had not bothered to generate the final digit with the Luhn algorithm used to validate credit card numbers:
Starting at the rightmost digit (which is the
check digit) and moving left, double the value
of every other digit.
For any digit that becomes 10 or more,
add the two resulting digits.
For example, 1111 becomes 2121,
while 8763 becomes 7733.
For the second one:
3 -> 3
6 x 2 = 12 -> 1 + 2 = 3
7 -> 7
8 x 2 = 16 -> 1 + 6 = 7
Add all these digits together:
1111 -> 2121 -> 2 + 1 + 2 + 1 = 6
8763 -> 7733 -> 7 + 7 + 3 + 3 = 20
If that total ends in 0, then the number is valid.
If not, it is invalid.
So, 1111 is invalid (the result is 6).
But, 8763 is valid (the result is 20).
My random 16 digits failed this test, so I was asked to re-enter my credit card number more carefully.
Analysis of the Headers
Remember to read the
Received entries from
bottom to top.
It started at a machine calling itself
Userand using IP address 188.8.131.52. That machine seems to have been running Microsoft Outlook Express 6.00.2600.0000.
The message was then relayed by
prodmail01.computercompany.netat IP address 184.108.40.206. That might be an appropriate mail relay for the hijacked computer, but I doubt it. According to
- The source 220.127.116.11 is in the IP block 18.104.22.168 - 22.214.171.124, which belongs to GNAXNET.
- The relay 126.96.36.199 is in the IP block 188.8.131.52 - 184.108.40.206, which belongs to Verizon Business UUNET65 (NET-65-192-0-0-1). More specifically, the 220.127.116.11/24 subnet belongs to Bowhead Support Services UU-65-215-45-D7 (NET-65-215-45-0-1).
- The source 18.104.22.168 is in or near Atlanta.
- The relay 22.214.171.124 is in Boston.
It then hopped through three machines at my ISP:
See the items highlighted in yellow below for the network trace.
Analysis of the Message
The scammers spoofed the
From address as
However, the scammers made some errors! The message itself seems to have been one designed to trick customers of the German American Bank. And, they can't spell "advantage" or "corporation"!
The telephone area code 425 is in Washington state,
suburbs north and east of Seattle.
According to the following resources, it's a residential
See the items highlighted in blue below for the human-hacking issues.
The Received Message
Below is the message precisely as I received it,
except that I have broken the long lines of the
Each paragraph was a single line of text in the original.
And, I have changed
11 in my
e-mail address where it appears, to reduce the amount of
spam I get caused by spammers scraping e-mail addresses
from web pages.
This does not prevent people spamming for high-cost low-value "credit reports" from finding this page and insisting that I need to replace the consumer.gov URL with theirs.
From email@example.com Wed Oct 31 17:04:26 2007 Return-path: <firstname.lastname@example.org> Received: from mta4.manage.insightcom.com ([172.31.249.158]) by msb1.manage.insightcom.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTP id <0JQS00GNWNV05RE0@msb1.manage.insightcom.com> for email@example.com; Wed, 31 Oct 2007 17:04:12 -0400 (EDT) Received: from mxsf08.insightbb.com ([172.31.249.124]) by mta4.manage.insightcom.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTP id <0JQS001FLNUZFSF1@mta4.manage.insightcom.com> for firstname.lastname@example.org (ORCPT email@example.com); Wed, 31 Oct 2007 17:04:12 -0400 (EDT) Received: from mail.computercompany.net (HELO mxip00.insightbb.com) ([126.96.36.199]) by mxsf08.insightbb.com with ESMTP; Wed, 31 Oct 2007 17:04:11 -0400 Received: from mail.computercompany.net (HELO prodmail01.computercompany.net) ([188.8.131.52]) by mxip00.insightbb.com with ESMTP; Wed, 31 Oct 2007 17:04:10 -0400 Received: from User (unverified [184.108.40.206]) by computercompany.net (Rockliffe SMTPRA 6.0.11) with ESMTP id <B0029996528@prodmail01.computercompany.net>; Wed, 31 Oct 2007 17:06:34 -0400 Date: Wed, 31 Oct 2007 16:04:26 -0500 From: First National Bank in Manitowoc <firstname.lastname@example.org> Subject: [SUSPECTED SPAM] Dear Customer, To: Undisclosed recipients: ; Reply-to: email@example.com Message-id: <B0029996528@prodmail01.computercompany.net> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/plain; charset=Windows-1251 Content-transfer-encoding: 8BIT X-Priority: 3 X-MSMail-priority: Normal X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Am+9APGKKEdB1y0LYWdsb2JhbACBVAaHOoVGFQQWARiBEwE X-IronPort-AV: E=Sophos;i="4.21,352,1188792000"; d="scan'208";a="116744390" Original-recipient: rfc822;firstname.lastname@example.org Status: R X-Status: NC X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: Dear German American Bank Customer, We regret to inform you that we have received numerous fraudulent emails which ask for personal account information. The emails contained links to fraudulent pages that looked legit. Please remember that we will never ask for personal account information via email or web pages. Because of this we are launching a new security system to make German American Bank accounts more secure and safe. To take advatage of our new consumer Identity Theft Protection Program we had to deactivate access to your card account. To activate it please call us immediately at (425) 998-1190 Activation is free of charge and will take place as soon as you finish the activation process. If you think your identity has been stolen, here's what to do now: 1) Contact the fraud departments of any one of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert requests creditors to contact you before opening any new accounts or making any changes to your existing accounts. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will be automatically notified, and all three credit reports will be sent to you free of charge. 2) Close accounts that you know or believe have been tampered with or opened fraudulently. Use the ID Theft Affidavit (PDF) when disputing new unauthorized accounts. 3) File a police report. Get a copy of the report to submit to your creditors and others that may require proof of the crime. 4) File your complaint with the Federal Trade Commission (FTC). The FTC maintains a database of identity theft cases used by law enforcement agencies for investigations. Filing a complaint also helps the FTC gather more information about identity theft and the problems victims are having. For more information, go to: http://www.consumer.gov/idtheft/. Please do not reply to this message. For any inquiries, contact Customer Service. THE GERMAN AMERICAN BANK CORPORARION - Copyright © 2007