Capital One Email Phish

Posted by on January 2, 2005

What do you know…checked the mail one last time before going to bed and I get something from Capital One! I don’t have a credit card from Capital One(and the ones I have I’m trying like mad to get rid of…they are SOOoooo evil).

Anyway, so I look at the email. I have turned off all the HTML rendering in Outlook so I get text. In the body of the note I’m encouraged to “securely” verify my stuff and here’s the link I would click to do so:

http ://203.232.77.198/oas/verification/login-doobjectclicked-LoginSplash.php

Sneaky ain’t they? BUT WAIT! There’s More!

My first clue (as if I needed any) is the “http” and *NOT* the “https” that should be there. Now… the way the link would have been displayed had I not disabled HTML is:

https://service.capitalone.com/oas/login.do?objectclicked=LoginSplash

So the unsuspecting might think the link was good. I took the IP address in the REAL link and ran it through SamSpade and the strangest thing was displayed:

(www.nic.or.kr) Whois
query: 203.232.77.198
ENGLISH
KRNIC is not a ISP but a National Internet Registry similar to APNIC.
The followings are information of the organization that is using the IPv4 address.
IPv4 Address : 203.232.77.192-203.232.77.223
Network Name : KORNET-HOTLINE2003218527
Connect ISP Name : KORNET

What is KORNET you ask?
Kornet Logo
It is an ISP in South Korea. Asian ISP’s or notoreous spam sources and the badguys know that so they use asian ISP’s for their dirty work.

Betcha didn’t know Capital One had offices in South Korea did ya? Well, fact is they might. I SERIOUSLY doubt that is where they handle their account verifications however.

Last modified on January 2, 2005

Categories: InfoSec
Comments Off on Capital One Email Phish

« | Home | »

Comments are closed.

%d bloggers like this: