Wells Fargo Bank Security Alert – Phishing Example

This phishing attempt is a nearly perfect textbook example so we’ve decided to use it to highlight some of the usual characteristics of this type of email fraud.

If you arrived here after receiving a copy of this message you are right to be suspicious. We’re not sure what triggered your suspicion but here’s something that should definitely set off your inner fraud detection alarms . . .

Verify Your Identity

Not all companies are careful to avoid making phishing easy but most of them know better than to ask you to “verify your identity” using a web form. This should be your first clue that this email is bogus.

Subject: Wells Fargo Bank Security Alert

From: Wells Fargo Online Banking <onlinebanking@alerts.wellsfargo.com>

Our Valued Customer,

For your security, Wells Fargo Bank has safeguard your account when there is a possibility that someone other than you is attempting to sign on. You now need to verify your Identity.

To verify your identity, kindly follow reference below and take the directions to instant activation.

http://online.wellsfargo.com/verification/
Thank you for helping us to protect you.

Security Advisor
Wells Fargo Bank, N.A., Member FDIC

Note: We wrote up an almost identical phishing campaign a not too long ago. This is a variation and it probably won’t be the last time we’ve seen it. They’ll hack another server and try again.

Fake From Address

The next phishing indicator is the spoofed “From:” address. This one requires a little work. To check the “From:” you need to look at the message headers wherein you will find a list of all the servers that this message passed through on its way to you.

  • [0]: ‘from moutng.kundenserver.de ([212.227.126.186]) by MailFilter1.onlymyemail.com with esmtp (Exim 4.67) (envelope-from <onlinebanking@alerts.wellsfargo.com>) id 1P8I45-0003H9-Ij for bpodratz@sebesta.com; Tue, 19 Oct 2010 15:41:42 -0400’
  • [1]: ‘from icpu1038.kundenserver.de (infong378.kundenserver.de [212.227.29.180]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0MdZVI-1PI6kC24gm-00PgQp; Tue, 19 Oct 2010 21:41:40 +0200’
  • [2]: ‘from 174.132.195.194 (IP may be forged by CGI script) by icpu1038.kundenserver.de with HTTP id 4AgGT7-1P8I441pKE-0000zv; Tue, 19 Oct 2010 21:41:40 +0200’

The above are the “Received” headers from this email. Normally, if you’re looking at them in an email client you’ll have to sort them out from the rest of the headers; they should be easy to spot because they’re all labeled “Received”. (Most email clients will show you the headers but it may take a bit of hunting to find out how. You can start by checking the View menu for anything about Headers.)

The top header is the most recent and shows one of our servers, MailFilter1.onlymyemail.com, receiving the message from moutng.kundenserver.de. So our first question is: Why is Wells Fargo relaying through German server? (.de is the top level domain for Germany.)

Notice that there are no mail servers in the list with names that even remotely resemble Wells Fargo or wellsfargo.com. While it is possible that Wells Fargo may use servers that don’t have Wells Fargo in the name it’s unlikely that their email originated in Germany.

At this point we’re pretty sure this is a phishing email but let’s keep going.

Dear Customer

Next, note the salutation

Our Valued Customer,

and signature

Security Advisor
Wells Fargo Bank, N.A., Member FDIC

Both are completely generic.

If you have an account at Wells Fargo and they know your email address you can bet that they know your name too. They’re not going to address you as “Our Valued Customer”. They would also provide a name for the “Security Advisor” or at least use a more generic sounding title like “The Security Team at Wells Fargo”.

Needs A Grammar Checker

If you read the text of the message itself you’ll notice there are some grammatical errors. For example, “has safeguard your account” and the tense conflict between “has safeguard” and “is attempting”. While possible, errors like these are unlikely in an official email from a bank.

So let’s add up what we have so far:

  1. They’re asking us to verify our identity.
  2. They don’t appear to know who we are.
  3. Their English is a little rough.
  4. We checked the headers and the “From:” address is fake.

We can confidently delete the message based on these items but there is one more very important clue — the link they want you to use to verify your identity.

Always Check The Links

Note: We delete links and replace them with blue underlined text in the example emails that we post to avoid linking to spammers. The trick we’re about to describe won’t work on the text-that-looks-like-a-link above.

The link in the message appears to go to this URL:

http://online.wellsfargo.com/verification/

That seems harmless enough. Unfortunately, the text that shows is not necessarily where the link goes. Clicking this link would take you to:

http://www.ideal-case.com/skin/www.Wellsfargo.com/index.html

You can find out the destination of a link by hovering your mouse pointer over it and looking at the status bar (the part at the very bottom) of your browser or email client.

There are two important things to note about the link in this email:

  1. The link shown on the page is not the same as the link destination shown in the status bar.
  2. The URL of the real destination is designed to trick you into believing it goes to wellsfargo.com in case the discrepancy in #1 doesn’t bother you.

The real destination URL breaks down as follows:

  • http:// – This is the protocol the browser or email client will use to request information from the server specified in the URL. Note also that this is not https:// which indicates the more secure SSL protocol.
  • www.idealcase.com/ – The domain hosting the remainder of the URL (definitely not wellsfargo.com).
  • skin/ – A directory (a.k.a. folder) hosted by www.idealcase.com.
  • www.Wellsfargo.com/ – A sub-directory of skin/. This directory was almost certainly an unauthorized addition to idealcase.com and had already been removed when we got around to looking for it.
  • index.html – The target file. This file could contain the phishing form and submit information the the phisher’s server. It could also contain code to redirect to a different server controlled by the phisher.

Regardless of whether it was the actual phishing form or a redirect, idealcase.com deserves some recognition for getting rid of it quickly. Hopefully they’ve also fixed whatever vulnerability allowed it in the first place.

We hope the information provided here helps you recognize and delete phishing emails with more confidence. If you’d prefer not to see them at all you should try our spam filtering service.

  • [0]: ‘from moutng.kundenserver.de ([212.227.126.186]) by MailFilter1.onlymyemail.com with esmtp (Exim 4.67) (envelope-from <onlinebanking@alerts.wellsfargo.com>) id 1P8I45-0003H9-Ij for bpodratz@sebesta.com; Tue, 19 Oct 2010 15:41:42 -0400’
  • [1]: ‘from icpu1038.kundenserver.de (infong378.kundenserver.de [212.227.29.180]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0MdZVI-1PI6kC24gm-00PgQp; Tue, 19 Oct 2010 21:41:40 +0200’
  • [2]: ‘from 174.132.195.194 (IP may be forged by CGI script) by icpu1038.kundenserver.de with HTTP id 4AgGT7-1P8I441pKE-0000zv; Tue, 19 Oct 2010 21:41:40 +0200’

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , , , , ,

One Response to “Wells Fargo Bank Security Alert – Phishing Example”

  1. Pearce Shanks says:

    Is there an e-mail address where your customers can forward FRAUD e-mails … sent in the name of WF?