MF'ing Phishing scams

Ramblings
1

A family member of mine got a very legitimate looking email from BofA asking for him to login and update some information in his account for security. The grammar, appearance, etc was very well done. The url was masked and appeared legit.

The source code reveals that the link takes you to this address:

http://www.keotuva.com/logs/Account-Update/BankofAmerica.Com/bankofamerica.signon

Here is the Domain registration information (/whois):

WHOIS information for keotuva.com :

[Querying whois.internic.net]
[Redirected to whois.PublicDomainRegistry.com]
[Querying whois.PublicDomainRegistry.com]
[whois.PublicDomainRegistry.com]
Registration Service Provided By: CONG TY TNHH PHAN MEM NHAN HOA
Contact: +84.903073667
Website: http://nhanhoa.com

Domain Name: KEOTUVA.COM

Registrant:
Nguyen Tien Bao
Nguyen Tien Bao (itsoftvnonline@yahoo.com.vn)
229/14 Trinh Dinh Trong Q Tan Phu TpHCM
HCM
Ho Chi Minh,84
VN
Tel. +84.0978018381

Creation Date: 04-Jun-2008
Expiration Date: 04-Jun-2009

Domain servers in listed order:
ns2.everydns.net
ns1.everydns.net

Administrative Contact:
Nguyen Tien Bao
Nguyen Tien Bao (itsoftvnonline@yahoo.com.vn)
229/14 Trinh Dinh Trong Q Tan Phu TpHCM
HCM
Ho Chi Minh,84
VN
Tel. +84.0978018381

Technical Contact:
Nguyen Tien Bao
Nguyen Tien Bao (itsoftvnonline@yahoo.com.vn)
229/14 Trinh Dinh Trong Q Tan Phu TpHCM
HCM
Ho Chi Minh,84
VN
Tel. +84.0978018381

Billing Contact:
Nguyen Tien Bao
Nguyen Tien Bao (itsoftvnonline@yahoo.com.vn)
229/14 Trinh Dinh Trong Q Tan Phu TpHCM
HCM
Ho Chi Minh,84
VN
Tel. +84.0978018381

Status:LOCKED
Note: This Domain Name is currently Locked. In this status the domain
name cannot be transferred, hijacked, or modified. The Owner of this
domain name can easily change this status from their control panel.
This feature is provided as a security measure against fraudulent domain name hijacking.

2

A WHOIS on the IP that the domain resolves to points to the following as the abuse contact for the server:

OrgAbuseHandle: NOC1610-ARIN
OrgAbuseName: Network Operations Center
OrgAbusePhone: +1-213-627-1937
OrgAbuseEmail: noc@atmlinkinc.com

I would suggest e-mailing them, so at the very least they can shut down the site.

3

[QUOTE=NinerAdvocate;411868]A family member of mine got a very legitimate looking email from BofA asking for him to login and update some information in his account for security. The grammar, appearance, etc was very well done. The url was masked and appeared legit.

The source code reveals that the link takes you to this address:

http://www.keotuva.com/logs/Account-Update/BankofAmerica.Com/bankofamerica.signon

Here is the Domain registration information (/whois):

WHOIS information for keotuva.com :

[Querying whois.internic.net]
[Redirected to whois.PublicDomainRegistry.com]
[Querying whois.PublicDomainRegistry.com]
[whois.PublicDomainRegistry.com]
Registration Service Provided By: CONG TY TNHH PHAN MEM NHAN HOA
Contact: +84.903073667
Website: http://nhanhoa.com

Domain Name: KEOTUVA.COM

Registrant:
Nguyen Tien Bao
Nguyen Tien Bao (itsoftvnonline@yahoo.com.vn)
229/14 Trinh Dinh Trong Q Tan Phu TpHCM
HCM
Ho Chi Minh,84
VN
Tel. +84.0978018381

Creation Date: 04-Jun-2008
Expiration Date: 04-Jun-2009

Domain servers in listed order:
ns2.everydns.net
ns1.everydns.net

Administrative Contact:
Nguyen Tien Bao
Nguyen Tien Bao (itsoftvnonline@yahoo.com.vn)
229/14 Trinh Dinh Trong Q Tan Phu TpHCM
HCM
Ho Chi Minh,84
VN
Tel. +84.0978018381

Technical Contact:
Nguyen Tien Bao
Nguyen Tien Bao (itsoftvnonline@yahoo.com.vn)
229/14 Trinh Dinh Trong Q Tan Phu TpHCM
HCM
Ho Chi Minh,84
VN
Tel. +84.0978018381

Billing Contact:
Nguyen Tien Bao
Nguyen Tien Bao (itsoftvnonline@yahoo.com.vn)
229/14 Trinh Dinh Trong Q Tan Phu TpHCM
HCM
Ho Chi Minh,84
VN
Tel. +84.0978018381

Status:LOCKED
Note: This Domain Name is currently Locked. In this status the domain
name cannot be transferred, hijacked, or modified. The Owner of this
domain name can easily change this status from their control panel.
This feature is provided as a security measure against fraudulent domain name hijacking.[/QUOTE]

I got that same email this past weekend. It did look legit. Thank goodness I did not have a BoA account. I hate the bozos that take advantage of folks that are not aware that there are people like that who send those kind of emails.

4

I dont get it. I click on that link just to send them screwy info, but it kept saying that I couldnt log in because my account number wasnt right or something.