Another Spoof Email and Phishing Scam report by MillerSmiles.co.uk - click this image to go to our home page.

4903 Phishing Scams targeting Nat West, Barclays, Lloyds TSB, Nationwide, Halifax.
after their appearances earlier this month - this persistent Phishing Scam is targeting on line Banks yet again
24th May 2004

email subjects include..

To all Natwest Bank users!
from Halifax Internet banking
Barclays IBank informs you
! your account ...
!Natwest Bank info
!0fficial Notice for all Barclays IBank users

please forward any scams you've received to spoof@millersmiles.co.uk

Report Summary
Date Reported	20th May 2004 - this scam is ongoing
Apparent Sender	Multiple Online Banking Institutions are being targeted - this includes Barclays, Nationwide, Halifax, Citibank, Nat West
Return Address	Varies, but all spoofed to correlate with who they are pretending to be from
Subject	varies - in this latest batch, the subject has been "! your account " followed by the bank's name, and others have included ... To all Natwest Bank users! from Halifax Internet banking Barclays IBank informs you
Format	HTML - all emails come in HTML format and either bear a GIF image alone (clicking the image will direct your browser to one of the many forged pages), or An image with text and disguised link which opens one of the many forged web pages.
Method	disguised link or image leads to bogus web content - all of the various forged pages contain forms which ask for log in or account information - all of these forms capture submitted data via a local script (in the same web space).
Bogus Web Content?	Yes - multiple forged Online Banking pages.
URL of web content	All URLs used are obfuscated within the email source code and are all sub domains of the userset or userdll domains such as ... * http://www.halifax-online.co.uk. userset.net:4903/h/formslogin.htm * http://userdll.com/wn/index.htm * http://userdll.com/na/index.htm * http://81.113.186.13:4903/ba/1logon00.htm SEE AN EXAMPLE - HALIFAX 4903 SCAM
RISK LEVEL	Medium
WARNINGS	1. Some of the 4903 Phishing Scams exploit the URL Spoofing (canonicalisation) vulnerability in Internet Explorer browsers - run Windows Update to ensure your browser is patched. 2. Some of the 4903 Phishing Scams employ script to open the genuine eBay.com home page as a backdrop to the bogus page. 3. The one common denominator in these scams is the use of the userset.net and userdll.com domains (the latest examples include URLs with an IP address in place of a domain name) - use our advice below to prevent this scam affecting or reaching you ...

The 4903 Phishing Scams are back and Online Banking Institutions are the target again ...

Want to avoid this scam? Of-course you do ... to block any web content from these domains reaching your computer ...

either,

1. Block the domains from within your Hosts file in Windows. To do this, First we would need to find the Hosts file ...

a. Go to your Windows directory using Windows Explorer and search within that directory for a file called Hosts (no file extension!)

b. Open the Hosts file with a text editor (such as Notepad)

c. Add each of the two domains on separate lines so that the Hosts file looks something like ...

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1        localhost
127.0.0.1        userset.net
127.0.0.1        userdll.com

This will completely block access from these domains to your computer, but you must ensure that the file is saved without a file extension - notepad will add .txt to it, if that happens, remove the file extension in Windows Explorer using 'Rename' from the right click menu.

Here are some useful resources concerning the HOSTS file ...

http://www.mvps.org/winhelp2002/hosts.htm
http://www.computergripes.com/ttdir/hosts.html
http://www.ecst.csuchico.edu/~atman/spam/adblock.shtml

or alternatively,

1. Block these two domains from within your Firewall. However, we recommend blocking using the Hosts file as this is used above and before any other third party windows software.

Examples of the Spoof Emails ...

4903 Phishing Scams targeting Nat West, Barclays, Lloyds TSB, Nationwide, Halifax.


Stay informed of the latest Spoof Email Phishing Scams with either of our FREE alert services... Email Alerts Add your email address to our email alert service... Subscribe Privacy Policy RSS News Feed Tap into our Scam Alert service using your News Reader or Aggregator (including My Yahoo!). Scam Alert News Feed You can even put the latest alerts on your own web site.

Library of Spoof Email Phishing Scams Brief guide to Phishing Full article on spoof email scams Spoof URL Checker Link Checker Browser URL Spoofing Vulnerability Check Latest browser bug aids Phishing Scams - beware!

Click the arrow to return to previous page Home Guides... Book Terminology How to identify a first edition book Auction Watcher List of the main Auction Sites world wide
<table border='0' cellpadding='0' cellspacing='0' width='120' height='243'> <!--DWLayoutTable--> <tr> <td><a href='http://www.amazon.co.uk/exec/obidos/redirect-home/millersmile09-21' target=_top ><img src="http://images-eu.amazon.com/images/G/02/associates/recommends/default_120x243.gif" width=120 height=243 border="0" access=regular></a></td> </tr> <tr> <td height="1"><img src="../spacer.gif" alt="" width="120" height="1"></td> </tr> </table>

4903 Phishing Scams targeting Nat West, Barclays, Lloyds TSB, Nationwide, Halifax. after their appearances earlier this month - this persistent Phishing Scam is targeting on line Banks yet again 24th May 2004

To all Natwest Bank users! from Halifax Internet banking Barclays IBank informs you ! your account ... !Natwest Bank info !0fficial Notice for all Barclays IBank users

4903 Phishing Scams targeting Nat West, Barclays, Lloyds TSB, Nationwide, Halifax.
after their appearances earlier this month - this persistent Phishing Scam is targeting on line Banks yet again
24th May 2004

To all Natwest Bank users!
from Halifax Internet banking
Barclays IBank informs you
! your account ...
!Natwest Bank info
!0fficial Notice for all Barclays IBank users