List of Banks often spoofed in Phishing scams - SpamAssassin

This is a discussion on List of Banks often spoofed in Phishing scams - SpamAssassin ; ...

+ Reply to Thread
Results 1 to 14 of 14

Thread: List of Banks often spoofed in Phishing scams

  1. Re: List of Banks often spoofed in Phishing scams


  2. List of Banks often spoofed in Phishing scams

    Here's a short list of banks often spoofed in phishing scams. I'm using
    this list as follows:

    If the FCrDNS matches one of these domains it is ham.
    If the sender or from address matches one of these domains and the
    domain doesn't appear in the Received headers - it's a phish.

    If anyone has any additions to the list that would be great.

    2checkout.com
    2co.com
    abbey.co.uk
    adp.com
    anz.com.au
    banknorth.com
    bankofamerica.com
    bankofoklahoma.com
    bankofthewest.com
    barclays.co.uk
    bmm.com.au
    boh.com
    capitalone.com
    careerbuilder.com
    careercantre.com
    centralbank.net
    charterone.com
    charteronebank.com
    chase.com
    chasebank.com
    cibc.ca
    citibank.com
    citizensbank.com
    clearmountainbank.com
    csfcu.coop
    cu.org
    cuna.org
    downeysavings.com
    e-gold.com
    ebay.com
    egg.com
    eppicard.com
    fleetbank.com
    fnb.co.za
    halifax-online.co.uk
    hsbc.co.uk
    huntington.com
    lasallebank.com
    maxfcu.com
    mbna.com
    nafcu.org
    natwest.co.uk
    natwest.com
    navyfcu.org
    nwolb.com
    paypal.com
    pvfcu.org
    rbs.co.uk
    regionsbank.com
    royalbankofcanada.com
    southtrust.com
    suntrust.com
    suntrustbank.com
    tcfbank.com
    uboc.com
    unionplanters.com
    usbank.com
    visa.com
    wamu.com
    wellsfargo.com
    westernunion.com




  3. Re: List of Banks often spoofed in Phishing scams

    Marc Perkel wrote:
    > If the FCrDNS matches one of these domains it is ham.
    > If the sender or from address matches one of these domains and the
    > domain doesn't appear in the Received headers - it's a phish.
    >
    > citibank.com


    It's worth noting that Citibank still sometimes uses other domains.
    I've seen legit mail from them that uses a citibank.com address, but is
    sent from a citigroup.com server.

    It could be worse -- a few years ago, they'd use about 5 or 6 domains on
    a regular basis, including the defunct c2it.com. Take a look at the
    SARE_FORGED_CITI rule in 70_sare_spoof.cf.

    --
    Kelson Vibber
    SpeedGate Communications


  4. Re: List of Banks often spoofed in Phishing scams



    --On Tuesday, June 3, 2008 9:32 -0700 Kelson wrote:

    > Marc Perkel wrote:
    >> If the FCrDNS matches one of these domains it is ham.
    >> If the sender or from address matches one of these domains and the
    >> domain doesn't appear in the Received headers - it's a phish.
    >>
    >> citibank.com

    >
    > It's worth noting that Citibank still sometimes uses other domains. I've
    > seen legit mail from them that uses a citibank.com address, but is sent
    > from a citigroup.com server.



    Many banks also send mail from third-party servers. Bank of America
    sends from customercenter.com and par3.com. American Express sends
    from aexp.com (which is theirs) and cheetahmail.com. Some send from
    bigfoot. It's only personal bank account information-- why keep the
    data in-house? :-)

    I've noticed those citi mismatches too. Sometimes the PTR and A
    records are even confused as to which citi* domain the host is in.

    Anyway-- not finding the bank domain a Received header is _not_ good
    enough to call it a phish. It would be nice if it were so. They
    _usually_ have good SPF records, but I've seen a major bank leave
    off their third-party mailer.


    Joseph Brennan
    Columbia University Information Technology


  5. Re: List of Banks often spoofed in Phishing scams

    > royalbankofcanada.com

    This is the wrong URL for the Royal Bank, it appears to be a domain
    camping site. Generally RBC's emails come from rbc.com, they also own
    royalbank.com, royalbank.ca, rbcroyalbank.ca and rbcroyalbank.com.

    Also you can add:
    desjardins.com

    I get a fair number of phishing spoofing them as well.


  6. Re: List of Banks often spoofed in Phishing scams



    Patrick McLean wrote:
    >> royalbankofcanada.com

    >
    > This is the wrong URL for the Royal Bank, it appears to be a domain
    > camping site. Generally RBC's emails come from rbc.com, they also own
    > royalbank.com, royalbank.ca, rbcroyalbank.ca and rbcroyalbank.com.
    >
    > Also you can add:
    > desjardins.com
    >
    > I get a fair number of phishing spoofing them as well.
    >

    Thanks Patrick - I added the ones you suggested. Even if the bank
    doesn't use a domain name if it is on the list and someone tries to
    spoof it then they will be reported as a phish.


  7. Re: List of Banks often spoofed in Phishing scams

    On Tuesday, June 3, 2008, 10:31:43 AM, Joseph Brennan wrote:


    > --On Tuesday, June 3, 2008 9:32 -0700 Kelson wrote:


    >> Marc Perkel wrote:
    >>> If the FCrDNS matches one of these domains it is ham.
    >>> If the sender or from address matches one of these domains and the
    >>> domain doesn't appear in the Received headers - it's a phish.
    >>>
    >>> citibank.com

    >>
    >> It's worth noting that Citibank still sometimes uses other domains. I've
    >> seen legit mail from them that uses a citibank.com address, but is sent
    >> from a citigroup.com server.



    > Many banks also send mail from third-party servers. Bank of America
    > sends from customercenter.com and par3.com. American Express sends
    > from aexp.com (which is theirs) and cheetahmail.com. Some send from
    > bigfoot. It's only personal bank account information-- why keep the
    > data in-house? :-)


    Presumably you mean customercenter.net, owned by Checkfree.
    customercenter.com appears to be owned by domainers/squatters.

    Jeff C.
    --
    Jeff Chan
    mailto:jeffc@surbl.org
    http://www.surbl.org/


  8. Re: List of Banks often spoofed in Phishing scams

    > >
    >
    > Actually in some ways this leads to an interesting idea. In our wiki
    > here perhaps we should write some guidelines for banks and everyone else
    > running legitimate email servers as to what is the correct way to
    > configure their servers. The first thig that come to mind is getting
    > FCrDNS correct and making sure that the domain of the from address, the
    > HELO, and FCrDNS all resolve to the banks domain.
    >


    That is not practical.
    Atleast in India, Banks use third party servers to send their mailers
    often. And the ips have PTR's & HELO's which dont match the banks',
    because these dont belong to the bank

    I do something like this.
    ((! SPF_PASS ) && ( ENV_FROM_GOOD_BANKS || HEADER_FROM_GOOD_BANKS) )
    then give a score 3.0

    Of course the GOOD_BANKS are a list of bank which have SPF records.

    Thanks
    Ram


  9. Re: List of Banks often spoofed in Phishing scams


    On Thu, June 5, 2008 07:33, ram wrote:

    > I do something like this.
    > ((! SPF_PASS ) && ( ENV_FROM_GOOD_BANKS || HEADER_FROM_GOOD_BANKS) )
    > then give a score 3.0
    >
    > Of course the GOOD_BANKS are a list of bank which have SPF records.


    we could olso just give scores on spf fail with a meta :-)


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


  10. Re: List of Banks often spoofed in Phishing scams


    On Thu, 2008-06-05 at 12:02 +0200, Benny Pedersen wrote:
    > On Thu, June 5, 2008 07:33, ram wrote:
    >
    > > I do something like this.
    > > ((! SPF_PASS ) && ( ENV_FROM_GOOD_BANKS || HEADER_FROM_GOOD_BANKS) )
    > > then give a score 3.0
    > >
    > > Of course the GOOD_BANKS are a list of bank which have SPF records.

    >
    > we could olso just give scores on spf fail with a meta :-)
    >


    NO,

    Phishers sometimes just forge the Header from & not the Env-From.
    You would not get a SPF_FAIL, because there was nothing wrong with the
    sender address. But the end users are usually are not trained to look at
    the real sender.


  11. Re: List of Banks often spoofed in Phishing scams


    On Thu, June 5, 2008 12:53, ram wrote:

    > Phishers sometimes just forge the Header from & not the Env-From.
    > You would not get a SPF_FAIL, because there was nothing wrong with the
    > sender address. But the end users are usually are not trained to look at
    > the real sender.


    good banks have equal envelope sender and from, else i blame my bank :-)

    why care about phishers that fails to do it right ?


    Benny Pedersen
    Need more webspace ? http://www.servage.net/?coupon=cust37098


  12. Re: List of Banks often spoofed in Phishing scams


    On Thu, 2008-06-05 at 13:08 +0200, Benny Pedersen wrote:
    > On Thu, June 5, 2008 12:53, ram wrote:
    >
    > > Phishers sometimes just forge the Header from & not the Env-From.
    > > You would not get a SPF_FAIL, because there was nothing wrong with the
    > > sender address. But the end users are usually are not trained to look at
    > > the real sender.

    >
    > good banks have equal envelope sender and from, else i blame my bank :-)
    >
    > why care about phishers that fails to do it right ?
    >


    The phisher deliberately "fails to do it right" and forges only the
    header from:. It is for us to catch them


  13. Re: List of Banks often spoofed in Phishing scams

    ram writes:

    > That is not practical.
    > Atleast in India, Banks use third party servers to send their mailers
    > often. And the ips have PTR's & HELO's which dont match the banks',
    > because these dont belong to the bank


    Which practice does nothing at all to combat phishing. Banks and other
    financial institutions should send mail only from their own
    domain(s). Any bank which does not have a sufficiently large (or
    cluefull) IT setup to enable them to send email from their own domains
    is probably not worth doing business with. Financial institutions should
    be in the forefront of online security.


  14. Re: List of Banks often spoofed in Phishing scams

    Graham Murray wrote:
    > ram writes:
    >
    >> That is not practical.
    >> Atleast in India, Banks use third party servers to send their mailers
    >> often. And the ips have PTR's & HELO's which dont match the banks',
    >> because these dont belong to the bank

    >
    > Which practice does nothing at all to combat phishing. Banks and other
    > financial institutions should send mail only from their own
    > domain(s). Any bank which does not have a sufficiently large (or
    > cluefull) IT setup to enable them to send email from their own domains
    > is probably not worth doing business with. Financial institutions should
    > be in the forefront of online security.
    >


    Chances are you do business with them whether you like it or not,
    through other parties that process your payments through BofA, Citicorp,
    Amex and others. :-(
    This is of course not the IT dept, but Marketing.

    All you email admins out there that can afford to block them, please do!
    In the "customer centric world" of email service providers, most email
    admins can't block these mailers, even if they do invite a phishing tag.
    Hopefully, they will get a clue eventually.

    Ken


    --
    Ken Anderson
    Pacific.Net


+ Reply to Thread