I thought that it would be pretty stupid for a phishing person to use
their own site (but you never know) and so the probability was that the
site has been hacked. I have already blocked the whole site.
I will report to the two addresses and if the guy has an e-mail address
on his site I will send him a link to his own site :) He will probably
be surprised when he clicks on it.
Thanx for the answers
Goran Jovanovic
The LAN Shoppe
2345 Yonge Street, Suite 302
Toronto, Ontario M4P 2E5
Phone: (416) 440-1167 x-2113
Cell: (416) 931-0688
E-Mail: [EMAIL PROTECTED]
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Matt
> Sent: Thursday, May 12, 2005 4:33 PM
> To: [email protected]
> Subject: Re: [Declude.JunkMail] Phishing Question
>
> One slight correction here. The domain haukelid.com doesn't belong to
> the phisher. This is an active site that was likely just simply
hacked
> and then the PHP code was placed on it...it's a pretty ingenious way
to
> get a clean address.
>
> Matt
>
>
>
> Goran Jovanovic wrote:
>
> >Hi,
> >
> >I do not understand how this is being displayed in IE.
> >
> >I got a phishing e-mail reported to me and I went to check it out.
> >
> >This is the HTML text
> >
> ><P class=Estilo6>To log into your account and verify your account
> >activity,
> >click here: <BR><A
>
>onmouseover="window.status='https://www1.royalbank.com/cgi-bin/rbaccess
/
> >rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;"
> >href="http://haukelid.com/hfl/.rbc/index.php";
>
>target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUE
S
> >T=ClientSignin&LANGUAGE=ENGLISH</A></P>
> >
> >Now I understand that this shows up in the e-mail as
> >www1.royalbank.com/....
> >
> >So what I did was to go to the haukelic.com/... page directly in IE.
> >When I get there the address in the address bar is
>
>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSigni
n
> >&LANGUAGE=ENGLISH
> >
> >How is this possible to display some other address when I went to the
> >haukelid.com address?
> >
> >What would people do to prevent this mail from getting through in the
> >future?
> >
> >In the past I would have put into my phishing.txt filter
> >http://haukelid.com but when I go there it is a "real" site and the
> >first level down is also a real site. I am tempted to ban it at the
top
> >level as this person is either using his own site to do phishing from
or
> >his site is compromised and the next URL could be somewhere else on
his
> >site.
> >
> >Can I get some thoughts on this.
> >
> >Thanx
> >
> >
> > Goran Jovanovic
> > The LAN Shoppe
> >---
> >This E-mail came from the Declude.JunkMail mailing list. To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail". The archives can be found
> >at http://www.mail-archive.com.
> >
> >
> >
> >
>
> --
> =====================================================
> MailPure custom filters for Declude JunkMail Pro.
> http://www.mailpure.com/software/
> =====================================================
>
> ---
> This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail". The archives can be found
> at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
