NetKnow Corporate Blog | Entries from Tuesday, August 23. 2011

More RBC Phish

CIBC Phish

Posted by Dave Yadallee on Tuesday, August 23. 2011

From survey@rbc.com Tue Aug 23 09:48:52 2011

Return-Path: survey@rbc.com

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level:

X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable

version=3.3.2

X-Original-To: archive@nl2k.ab.ca

Delivered-To: archive@nl2k.ab.ca

Received: from localhost (localhost.nl2k.ab.ca [127.0.0.1])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id E7E3B12CFAB4

for ; Tue, 23 Aug 2011 09:48:51 -0600 (MDT)

X-Virus-Scanned: amavisd-new at doctor.nl2k.ab.ca

Received: from doctor.nl2k.ab.ca ([127.0.0.1])

by localhost (doctor.nl2k.ab.ca [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id TOT8DxviJ5SE for ;

Tue, 23 Aug 2011 09:48:40 -0600 (MDT)

Received: from sometconstruct.ro (sometconstruct.ro [89.18.7.50])

(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))

(No client certificate requested)

by doctor.nl2k.ab.ca (Postfix) with ESMTPS id 1C29712CFAB2

for ; Tue, 23 Aug 2011 09:48:31 -0600 (MDT)

Received: (qmail 20503 invoked by uid 210); 23 Aug 2011 15:40:06 -0000

Received: from 62.139.182.98 by somet (envelope-from , uid 201)

with qmail-scanner-1.25st (clamdscan: 0.92.1/5777. perlscan: 1.25st.

Clear:RC:1(62.139.182.98):. Processed in 8.822449 secs); 23 Aug 2011

15:40:06 -0000

Received: from unknown (HELO rbc.com)

(postmaster@sometconstruct.ro@62.139.182.98) by 192.168.16.3 with

ESMTPA; 23 Aug 2011 15:39:57 -0000

From: RBC Royal Bank

To: archive@nl2k.ab.ca

Subject: RBC Royal Bank Notification.

X-Eset-AntiSpam: OK;60;calc;2011-08-23 18:40:06;1108231840060045;FCDF

Date: 23 Aug 2011 18:52:25 +0300

Message-ID: <20110823185225.8C95F48B698A333D@rbc.com>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0012_46C22F29.0A598261"

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

[-- Attachment #1 --]

[-- Type: text/plain, Encoding: 8bit, Size: 0.8K --]

Content-Type: text/plain

Content-Transfer-Encoding: 8bit

Dear members,

You have been selected to participate in a public opinion poll

conducted by RBC Royal Bank, a non-partisan polling

organization. The poll is about current events at the national

level and your views about them. It is short and should take you

only 5-7 minutes to complete. All of your answers will be kept

strictly confidential and will be used only for legitimate

research purposes.

Please download and unpack the form attached to this email and

open it in a web browser.

Each person taking the poll will win $200

Thank you for your participation!

Sincerely,

Survey Manager

__________ Information from ESET Mail Security, version of virus signature

+database 6403 (20110823) __________

The message was checked by ESET Mail Security.

http://www.eset.com

[-- Attachment #2: RBC Royal Bank Notification.zip --]

[-- Type: application/octet-stream, Encoding: base64, Size: 6.9K --]

Content-Type: application/octet-stream; name="RBC Royal Bank Notification.zip"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="RBC Royal Bank Notification.zip"

[-- application/octet-stream is unsupported (use 'v' to view this part) --]

August '11

Posted by Dave Yadallee on Tuesday, August 23. 2011

From securityalert@cibc.com Tue Aug 23 08:58:19 2011

Return-Path: securityalert@cibc.com

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on doctor.nl2k.ab.ca

X-Spam-Level: **

X-Spam-Status: No, score=3.3 required=5.0 tests=FORGED_MUA_OUTLOOK,

FORGED_OUTLOOK_TAGS,SARE_OBFU_SPLIT_HR2 autolearn=no version=3.3.2

X-Original-To: root@doctor.nl2k.ab.ca

Delivered-To: root@doctor.nl2k.ab.ca

Received: from localhost (localhost.nl2k.ab.ca [127.0.0.1])

by doctor.nl2k.ab.ca (Postfix) with ESMTP id 0835612CFAB5

for ; Tue, 23 Aug 2011 08:58:19 -0600 (MDT)

X-Virus-Scanned: amavisd-new at doctor.nl2k.ab.ca

Received: from doctor.nl2k.ab.ca ([127.0.0.1])

by localhost (doctor.nl2k.ab.ca [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id kkNDIpbJBE6i for ;

Tue, 23 Aug 2011 08:58:09 -0600 (MDT)

Received: from correoweb.wonderl.com (kompassocean.com [200.74.218.204])

(using SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))

(No client certificate requested)

by doctor.nl2k.ab.ca (Postfix) with ESMTPS id DF3ED12CFAB4

for ; Tue, 23 Aug 2011 08:58:04 -0600 (MDT)

Received: from User ([173.184.125.121])

by correoweb.wonderl.com (Merak 6.1.0) with ASMTP id MWK37904;

Tue, 23 Aug 2011 10:15:46 -0430

From: CIBC Online Banking

Subject: ***SPAM** CIBC Bank -Anti-Fraud International

Date: Tue, 23 Aug 2011 08:57:49 -0600

MIME-Version: 1.0

Content-Type: text/html;

charset="Windows-1251"

Content-Transfer-Encoding: 7bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

X-Sanitizer: This message has been sanitized!

X-Sanitizer-URL: http://mailtools.anomy.net/

X-Sanitizer-Rev: $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

src="https://www.cibconline.cibc.com/olb/img/cibc-logo.gif"

width="100" height="82">

Our Valued Customer,

For your security, CIBC Bank has safeguard your account

when there is a

possibility that someone other than you is attempting

to sign on.

You now need to verify your Identity.

To verify your identity, kindly follow

style="font-size: 10pt; font-family: Arial; color: black">

reference below and take the directions to instant

activation.

size="2">

https://www.cibconline.cibc.com/olbtxn/authentication/PreSign

On

face="Tahoma">

face="Arial">Thank you for

helping us to protect you.

color="black" size="2" face="Tahoma">

Security Advisor

color="#006699"face="Arial"size="2">

color=""face="Arial"size="2">The CIBC Online Security

Guarantee

This message has been

+'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start="1314111500"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_table id="table3" style="BORDER-COLLAPSE: collapse"


+width="564" border="0"_<<


                as: >>_table id="table3" DEFANGED_style="BORDER-COLLAPSE:


+collapse" width="564" border=0_<<


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.





  Rewrote HTML tag: >>_span style="font-size: 10pt; font-family: Arial;


+color: black"_<<


                as: >>_DEFANGED_span style="font-size: 10pt; font-family:


+Arial; color: black"_<<


  Rewrote HTML tag: >>_/span_<<


                as: >>_/DEFANGED_span_<<


  Rewrote HTML tag: >>_/div_<<


                as: >>_/p__DEFANGED_div_<<


  Total modifications so far: 4

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

This message has been

+'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start="1314111500"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_table id="table3" style="BORDER-COLLAPSE: collapse"


+width="564" border="0"_<<


                as: >>_table id="table3" DEFANGED_style="BORDER-COLLAPSE:


+collapse" width="564" border=0_<<


  Note: Styles and layers give attackers many tools to fool the


  user and common browsers interpret Javascript code found


  within style definitions.





  Rewrote HTML tag: >>_span style="font-size: 10pt; font-family: Arial;


+color: black"_<<


                as: >>_DEFANGED_span style="font-size: 10pt; font-family:


+Arial; color: black"_<<


  Rewrote HTML tag: >>_/span_<<


                as: >>_/DEFANGED_span_<<


  Rewrote HTML tag: >>_/div_<<


                as: >>_/p__DEFANGED_div_<<


  Total modifications so far: 4

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $

This message has been

+'sanitized'. This means that potentially

dangerous content has been rewritten or removed. The following

log describes which actions were taken.




Sanitizer (start="1314111500"):


  SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):


    Match (names="unnamed.html, filetype.html", rule="2"):


      Enforced policy: accept





  Rewrote HTML tag: >>_table id="table3" style="BORDER-COLLAPSE: collapse"


+width="564" border="0"_<<


                as: >>_table id="table3" DEFANGED_style="BORDER-COLLAPSE:


+collapse" width="564" border=0_<<


  Note: Styles and layers give attackers many tools to fool the  


user and common browsers interpret Javascript code found


  within style definitions.





  Rewrote HTML tag: >>_span style="font-size: 10pt; font-family: Arial;color: black"_<<


                as: >>_DEFANGED_span style="font-size: 10pt; font-family:Arial; color: black"_<<


  Rewrote HTML tag: >>_/span_<<


                as: >>_/DEFANGED_span_<<


  Rewrote HTML tag: >>_/div_<<


                as: >>_/p__DEFANGED_div_<<


  Total modifications so far: 4

Anomy 0.0.0 : Sanitizer.pm

$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $