]]>
Attached is a screen capture of the phishing email from “National City”:
—–Attached—–
—End Attached— Did you see the scam? The HTML text link appears to be real (or legitimate).
http://session-15671333.nationalcity.com/corporate/onlineservices/TreasuryMgmt/
When we place our mouse pointer over the text link, it reveals the actual link as follows:
http://session-15671333.nationalcity.com.userpro.io/corporate/onlineservices/TreasuryMgmt/
Note the words in bold above. The text link makes you think that it is a link to “nationalcity.com”, but the actual link is to “userpro.io”. The domain extension .io is for Indian Ocean (www.nic.io)
Beware of similar scams where the text link shows that it is pointing the the “correct” domain, but the actual link differs.
The following is the full mail header.
— Attached —
Return-path: <customerservice.refqv9478079xh.cm@nationalcity.com>
Delivery-date: Mon, 28 May 2007 23:35:34 -0500
Received: from [84.121.246.194] (helo=84.121.246.194.dyn.user.ono.com)
(envelope-from <customerservice.refqv9478079xh.cm@nationalcity.com>)
Received: from atlanta.com (fool.atlanta.com [102.238.4.245])
by apple.com with SMTP id ELY83K6T4O
From: “National City” <customerservice.refqv9478079xh.cm@nationalcity.com>
User-Agent: PObox II beta1.0
X-Mailer: PObox II beta1.0
boundary=”–SX921D6WWJT.61MNCR.SI5N”
X-NAS-AutoBlock-Description: Always block emails that contain invisible or nearly invisible text
Subject: customer notice: your National City account!
