Capital One Email Phish
What do you know…checked the mail one last time before going to bed and I get something from Capital One! I don’t have a credit card from Capital One(and the ones I have I’m trying like mad to get rid of…they are SOOoooo evil).
Anyway, so I look at the email. I have turned off all the HTML rendering in Outlook so I get text. In the body of the note I’m encouraged to “securely” verify my stuff and here’s the link I would click to do so:
http ://203.232.77.198/oas/verification/login-doobjectclicked-LoginSplash.php
Sneaky ain’t they? BUT WAIT! There’s More!
My first clue (as if I needed any) is the “http” and *NOT* the “https” that should be there. Now… the way the link would have been displayed had I not disabled HTML is:
https://service.capitalone.com/oas/login.do?objectclicked=LoginSplash
So the unsuspecting might think the link was good. I took the IP address in the REAL link and ran it through SamSpade and the strangest thing was displayed:
(www.nic.or.kr) Whois
query: 203.232.77.198
ENGLISH
KRNIC is not a ISP but a National Internet Registry similar to APNIC.
The followings are information of the organization that is using the IPv4 address.
IPv4 Address : 203.232.77.192-203.232.77.223
Network Name : KORNET-HOTLINE2003218527
Connect ISP Name : KORNET
What is KORNET you ask?
It is an ISP in South Korea. Asian ISP’s or notoreous spam sources and the badguys know that so they use asian ISP’s for their dirty work.
Betcha didn’t know Capital One had offices in South Korea did ya? Well, fact is they might. I SERIOUSLY doubt that is where they handle their account verifications however.
Filed under: InfoSecComments Off
« New Years Greetings and RANTTIME | Home | Stingy Americans »
