Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Suspicious email from Ulster Bank

  • 06-06-2014 11:44am
    #1
    Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭


    I just received this email (attached) directly to my inbox, not junk mail. I was immediately suspicious as there is no message facility on the UB site as far as I know. I checked and it is from info@ulsterbank.com which seems legit. I was curious, so I clicked on the account login button. This brought me to a phishing site that looked exactly like the UB online banking login screen, which usually asks you for 3 characters from your PIN and 3 characters from your Online Banking code, except it asked me for my full login code. I reported it as a phishing scam through outlook, just want to spread the warning as it looked genuine and I can see people being fooled by it.


Comments

  • Moderators, Computer Games Moderators, Technology & Internet Moderators, Help & Feedback Category Moderators Posts: 25,758 CMod ✭✭✭✭Spear


    Post the headers at least.


  • Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭rawn


    That was the entire email. I was gonna post screenshots from the "login" page but my browser has it marked as a phishing site so I can't see it. I could see it on my phone though. (Thanks for nothing AVG Mobile)


  • Closed Accounts Posts: 9,700 ✭✭✭tricky D


    The from line can be easily forged or spoofed. The clues as to which server the mail really comes from are in the header.

    I wouldn't even click into the phishing site, it could be booby-trapped. Ie. don't get curious.


  • Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭rawn


    Another screenshot


  • Moderators, Computer Games Moderators, Technology & Internet Moderators, Help & Feedback Category Moderators Posts: 25,758 CMod ✭✭✭✭Spear


    Those are pretty much meaningless. We need to see the source and headers.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 51,054 ✭✭✭✭Professey Chin


    We've been getting loads of spoofed similar bank of Ireland ones this week. Some with just logos, others with an attached html form requesting account numbers and pins


  • Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭rawn


    Spear wrote: »
    Those are pretty much meaningless. We need to see the source and headers.

    Emmm... where do I find them? Scuze the noob :P


  • Moderators, Computer Games Moderators, Technology & Internet Moderators, Help & Feedback Category Moderators Posts: 25,758 CMod ✭✭✭✭Spear


    If it's in Gmail, use the view original option. Otherwise it'll vary by client/interface.


  • Registered Users, Registered Users 2 Posts: 98 ✭✭mack81


    rawn wrote: »
    Emmm... where do I find them? Scuze the noob :P


    -Open the email in Hotmail. (it looks like hotmail from your screenshot)
    -Click the down arrow next to Categories (thats where it is in mine anyway) in the message's header area near the sender and subject.
    -Pick View message source from the menu.

    Actually looking at it its not a down arrow its 3 dots ...


  • Registered Users, Registered Users 2 Posts: 3,291 ✭✭✭techdiver


    I would be 99.9% sure this is a phishing scam.

    I would never follow a link from an email to a login for a financial institution.

    You will also easily see that the actual url they wish you to go to is not the url on the bank in question. the develop clone pages of the login form and you are then basically supplying these individuals with your login credentials for you bank account.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭rawn


    mack81 wrote: »
    -Open the email in Hotmail. (it looks like hotmail from your screenshot)
    -Click the down arrow next to Categories (thats where it is in mine anyway) in the message's header area near the sender and subject.
    -Pick View message source from the menu.

    Actually looking at it its not a down arrow its 3 dots ...


    Thanks mack, this is what I got when I clicked view source:

    x-store-info:eER+dkW9LbRZeSaTfrbsKbNwYWGSG1yylBVqBKWR43I= Authentication-Results: hotmail.com; spf=none (sender IP is 210.50.76.229) smtp.mailfrom=info@ulsterbank.com; dkim=none header.d=ulsterbank.com; x-hmca=none header.id=info@ulsterbank.com X-SID-PRA: info@ulsterbank.com X-AUTH-Result: NONE X-SID-Result: NONE X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0xO1NDTD00 X-Message-Info: KpY9G9jQeOFCmxtHus1DqcaBQ5q6FGU6aVjpmdkKvmbCzf3MA2Do3MkT3+CxJdNr7lCzzKDO5Tg1jCczZ7rWM0zWvMsoIF5zW7F3cc1+dh0XJG/mZyQBzaf9XIncINPK6MGCvIFxIAcz31MmuN025prsqG7inniFPibjPb20ZdaN6K1z37yjkRwCUu5c7xqs4Zs0wexwrnASTHAuWcreTxlmvpOZ6c4E Received: from mail06.syd.iprimus.net.au ([210.50.76.229]) by BAY004-MC5F25.hotmail.com with Microsoft SMTPSVC(7.5.7601.22678); Fri, 6 Jun 2014 03:59:46 -0700 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AnGcAMKekVPTGgqd/2dsb2JhbABDBgEPgWwEAVVHHzMFUYs5okABjkwBh1wCA2AXdYN7BBwBNhNaCgIHIYEDhScHJoFmZQ6cJgEBgWmBOwGDNgKFWwGKLhCUAAIBXYUMjX8BEWmCKg9BAySBFgSBLYhGhjSJbpNBgwRKKy+BAQkXgRs X-IPAS-Result: AnGcAMKekVPTGgqd/2dsb2JhbABDBgEPgWwEAVVHHzMFUYs5okABjkwBh1wCA2AXdYN7BBwBNhNaCgIHIYEDhScHJoFmZQ6cJgEBgWmBOwGDNgKFWwGKLhCUAAIBXYUMjX8BEWmCKg9BAySBFgSBLYhGhjSJbpNBgwRKKy+BAQkXgRs X-IronPort-AV: E=Sophos;i="4.98,988,1392123600"; d="scan'208,217";a="141356020" Received: from 157.001.dsl.qld.iprimus.net.au (HELO ulsterbank.com) ([211.26.10.157]) by smtp06.syd.iprimus.net.au with ESMTP; 06 Jun 2014 20:58:43 +1000 From: Ulster Bank<info@ulsterbank.com> Subject: You have (1) new secure message Date: 06 Jun 2014 20:58:48 +1000 Message-ID: <20140606205848.0C0416F17C99FF4F@ulsterbank.com> MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Bcc: Return-Path: info@ulsterbank.com X-OriginalArrivalTime: 06 Jun 2014 10:59:47.0117 (UTC) FILETIME=[6E266DD0:01CF8176] -<html> <head> <style type=3D"text/css"> BODY, TD {font-family: verdana,arial,helvetica,sans-serif;font-size:12px;col= or: #000000;} LI {line-height: 120%;} UL.ppsmallborder {margin:10px 5px 10px 20px;} LI.ppsmallborderli {margin:0px 0px 5px 0px;} UL.pp_narrow {margin:10px 5px 0px 40px;} hr.dotted {width: 100%; margin-top: 0px; margin-bottom: 0px; border-left:#ff= f; border-right: #fff; border-top: #fff; border-bottom: 2px dotted #ccc;} =2Epp_label {font-family: verdana,arial,helvetica,sans-serif;font-size:10px;fo= nt-weight: bold;color: #000000;} =2Epp_serifbig {font-family: serif;font-size: 20px;font-weight: bold;color:#00= 0000;} =2Epp_serif{font-family: serif;font-size: 16px;color: #000000;} =2Epp_sansserif{font-family: verdana,arial,helvetica,sans-serif; font-size:16p= x;color: #000000;} =2Epp_heading {font-family: verdana,arial,helvetica,sans-serif;font-size:18px;= font-weight: bold;color: #003366;}=09 =2Epp_subheadingeoa {font-family:verdana,arial,helvetica,sans-serif;font-size:= 15px;font-weight: bold;color: #000000;}=09 =2Epp_subheading {font-family: verdana,arial,helvetica,sans-serif;font-size:16= px;font-weight: bold;color: #003366;}=09 =2Epp_sidebartext {font-family: verdana,arial,helvetica,sans-serif;font-size: 11px;color: #003366;}=09 =2Epp_sidebartextbold {font-family:verdana,arial,helvetica,sans-serif;font-siz= e: 11px;font-weight: bold;color: #003366;}=09 =2Epp_footer {font-family: verdana,arial,helvetica,sans-serif;font-size:11px;c= olor: #aaaaaa;} =2Epp_button {font-size: 13px; font-family:verdana,arial,helvetica,sans-serif;= font-weight: 400; border-style:outset; color:#000000; background-color: #cccccc;} =2Epp_smaller {font-family: verdana,arial,helvetica,sans-serif;font-size:10px;= color: #000000;} =2Epp_smallersidebar {font-family:verdana,arial,helvetica,sans-serif;font-size= : 10px;color: #003366;} =2Eppem106 {font-weight: 700;} =2Estyle1 { color: #000033; font-weight: bold; } =2Estyle4 { color: #0066CC; font-weight: bold; font-size: 16px; } =2Estyle6 { color: #000000; font-size: 14px; } </style> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-1= "> <title>Notification</title> </head> <body bgcolor=3D"#ffffff"> <table width=3D"690" cellspacing=3D"0" cellpadding=3D"0" border=3D"0"> <tr> <br> <td width=3D"633" height=3D"239"> <p style=3D"margin-top: 0px; margin-bottom: 0px" align=3D"justify">  </p> <p style=3D"margin-top: 0px; margin-bottom: 0px" align=3D"justify">  </p> <p style=3D"margin-top: 0px; margin-bottom: 0px" align=3D"justify">  </p> <p style=3D"margin-top: 0px; margin-bottom: 0px" align=3D"center"> <a href=3D"http://www.audrugdog.com/505.html"&gt; <img border=3D"0" src=3D"https://www.ulsterbankanytimebanking.co.uk/brands= /UBN/images/logo_ulster_bank.gif" width=3D"285" height=3D"78"></a></p> <p style=3D"margin-top: 0px; margin-bottom: 0px" align=3D"justify">  </p> <p style=3D"margin-top: 0px; margin-bottom: 0px" align=3D"justify">  </p> <p style=3D"margin-top: 0px; margin-bottom: 0px" align=3D"justify">  </p> <h2 style=3D"outline: 0px; font-size: 1.8em; vertical-align: baseline; col= or: rgb(0, 42, 102); font-weight: 500; display: block; text-align: center; f= ont-family: Arial, Helvetica, sans-serif; font-style: normal; font-variant: = normal; letter-spacing: normal; line-height: normal; orphans: auto; text-ind= ent: 0px; text-transform: none; white-space: normal; widows: auto; word-spac= ing: 0px; -webkit-text-stroke-width: 0px; border: 0px none; margin-left: 0px= ; margin-right: 0px; margin-top: 0px; margin-bottom: 20px; padding: 0px; bac= kground:"> Your Anytime Banking<font size=3D"3"> account has <b>1 new message.</b></h= 2> <p style=3D"margin-top: 0px; margin-bottom: 0px" align=3D"justify"><br>= =20 </p> <p style=3D"margin-top: 0px; margin-bottom: 0px" align=3D"justify"> = </p> <p style=3D"MARGIN-TOP: 0px" align=3D"center"> <a href=3D"http://www.audrugdog.com/505.html"&gt; <img border=3D"0" src=3D"http://www.ulsterbank.ie/images/personal-homepag= e/content/accountLogin.png" width=3D"154" height=3D"36"></a></p> <p style=3D"MARGIN-TOP: 0px" align=3D"justify"> </p> =20=20=20=20=20=20=20=20=20=20 <p align=3D"center"> =20=20=20=20=20=20=20=20=20=20 <font size=3D"2">(The=20 Message Center contains important information about your=20 account)</span><br><br> =20=20=20=20=20=20=20=20=20=20=20=20=20 <font color=3D"#003366" size=3D"1"><br> </font></font> </font><font size=3D"1" color=3D"#003366"> 2014 Ulster Bank Ireland=20 Limited. A private company limited by shares, trading as Ulster=20 Bank, Ulster Bank Group and Banc Uladh. Registered in Republic of=20 Ireland. Registered No 25766. Registered Office: Ulster Bank Group=20 Centre, George’s Quay, Dublin 2. Member of The Royal Bank of=20 Scotland Group. Ulster Bank Ireland Limited is regulated by the=20 Central Bank of Ireland. Calls may be recorded.</font></td>=20=20=20 </tr> =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=09=09 </body>=20=20=20 </html>


  • Registered Users, Registered Users 2 Posts: 6,285 ✭✭✭bonzodog2


    Unusual to only have 1 Received header
    210.50.76.229 is Australian IP
    No Content-Type, User-Agent or X-Mailer headers
    HTML only





    Keep away!


  • Moderators, Computer Games Moderators, Technology & Internet Moderators, Help & Feedback Category Moderators Posts: 25,758 CMod ✭✭✭✭Spear


    rawn wrote: »
    Thanks mack, this is what I got when I clicked view source:

    x-store-info:eER+dkW9LbRZeSaTfrbsKbNwYWGSG1yylBVqBKWR43I=
    Authentication-Results: hotmail.com; spf=none (sender IP is 210.50.76.229) smtp.mailfrom=info@ulsterbank.com; dkim=none header.d=ulsterbank.com; x-hmca=none header.id=info@ulsterbank.com X-SID-PRA: info@ulsterbank.com X-AUTH-Result: NONE X-SID-Result: NONE X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MTtHRD0xO1NDTD00 X-Message-Info: KpY9G9jQeOFCmxtHus1DqcaBQ5q6FGU6aVjpmdkKvmbCzf3MA2Do3MkT3+CxJdNr7lCzzKDO5Tg1jCczZ7rWM0zWvMsoIF5zW7F3cc1+dh0XJG/mZyQBzaf9XIncINPK6MGCvIFxIAcz31MmuN025prsqG7inniFPibjPb20ZdaN6K1z37yjkRwCUu5c7xqs4Zs0wexwrnASTHAuWcreTxlmvpOZ6c4E Received: from mail06.syd.iprimus.net.au ([210.50.76.229]) by BAY004-MC5F25.hotmail.com with Microsoft SMTPSVC(7.5.7601.22678);

    Received: from 157.001.dsl.qld.iprimus.net.au (HELO ulsterbank.com) ([211.26.10.157]) by smtp06.syd.iprimus.net.au with ESMTP; 06 Jun 2014 20:58:43 +1000 From: Ulster Bank<info@ulsterbank.com> Subject: You have (1) new secure message Date: 06 Jun 2014 20:58:48 +1000 Message-ID: <20140606205848.0C0416F17C99FF4F@ulsterbank.com> MIME-Version: 1.0

    Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Bcc: Return-Path: info@ulsterbank.com X-OriginalArrivalTime: 06 Jun 2014 10:59:47.0117 (UTC) FILETIME=[6E266DD0:01CF8176] -

    <a href=3D"http://www.audrugdog.com/505.html"> <img border=3D"0"

    src=3D"https://www.ulsterbankanytimebanking.co.uk/brands= /UBN/images/logo_ulster_bank.gif" width=3D"285" height=3D"78">

    <a href=3D"http://www.audrugdog.com/505.html"> <img border=3D"0" src=3D"http://www.ulsterbank.ie/images/personal-homepag= e/content/accountLogin.png"


    Some stuff cleaned out, and more pertinent parts in bold.

    It came from an Australian Primus machine.

    It uses some real stuff from the Ulsterbank site, but the other links go to the site www.audrugdog.com.

    This is why the images don't show anything truthful about such emails, or why there should be a special hell for whoever thought HTML should be allowed in emails.


  • Registered Users, Registered Users 2 Posts: 3,093 ✭✭✭rawn


    Haha, I did click into it out of stupidity curiosity. Ran AVG, Malwarebytes and SpyBot and came back clean. This time :cool:


  • Registered Users, Registered Users 2 Posts: 3,291 ✭✭✭techdiver


    rawn wrote: »
    Haha, I did click into it out of stupidity curiosity. Ran AVG, Malwarebytes and SpyBot and came back clean. This time :cool:

    Phishing sites rarely come up on scans are they are like pop up shops (here today, gone tomorrow). What will always give them away is the url you end up going to also. It won't be Ulster Banks on-line banking address.


Advertisement