Kiwibank phishing scams

Phishing scams, hijacking of TM accounts, keyloggers and all manner of other nasties. This is the place to report them and get help if you've been hit.
madcat11
Members
Posts: 66
Joined: Wed Apr 29, 2009 3:46 am
Location: Nelson

Kiwibank phishing scams

Post by madcat11 » Mon May 03, 2010 5:24 pm

Update & Re-confirm your account details.‏
From: Kiwi Bank (jroberho@ptd.net)
Sent: Monday, 3 May 2010 12:54:28 p.m.
To:


You have 1 new Security Message !

Update & Re-confirm your account details.

Click here to Log In

"
Received: from 60.211.124.81 by pm15.mailnet.ptd.net (envelope-from <jroberho@ptd.net>, uid 50002) with qmail-scanner-2.02 " i presume that is their ip address (got that by clicking view message source on the hotmail webpage..)? [-(

Edit:
Just checked Junk and i recieved 3 other kiwibank emails this month.. getting desperate i guess? :-k

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Mon May 03, 2010 7:11 pm

I've been getting one of these a day for the past week or so. Somebody
is targeting KiwiBank pretty heavily.

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

I Feel Rejected.

Post by Foggyone » Mon May 03, 2010 7:27 pm

Nothing in my spam trap except one lonely Penis Enlargment. email.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
dobby
Members
Posts: 3336
Joined: Wed Apr 05, 2006 7:48 am
First Name: Dobby
Location: Wellington

Re: New kiwibank scam?

Post by dobby » Tue May 04, 2010 3:44 am

This is well advertised on the Kiwibank Internet Banking page:
Security Warning


Some of our customers have been targeted by Hoax emails claiming to be from Kiwibank.

Please do NOT submit your login details to these links/emails.

These emails have NOT been sent by Kiwibank. Kiwibank will NEVER send you an email with a link to our internet banking login page.

The latest emails prompt you to click on an embedded link that takes you to a fraudulent replica of the Kiwibank internet banking login page.

If you have submitted your login details to what you think is a fraudulent site, please change your password immediately and call us on:
Calls from cellphones 04 473 1133
Anywhere else toll free 0800 11 33 55

KeepSafe is available for free to all Kiwibank internet banking customers. By using KeepSafe with some commonsense security precautions you are eligible for the Kiwibank Internet banking guarantee. https://www.kiwibank.co.nz/about-us/sec ... rantee.asp" onclick="window.open(this.href);return false;



Please Remember:

Kiwibank will NEVER email you a link to our Internet Banking page.

And, we will NEVER prompt to disclose your KeepSafe Questions and Answers in full when logging into Internet Banking.




Attached below is several examples of the latest hoax/Phishing emails:

Image
Image
Idealism increases in direct proportion to your distance from the problem.

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Thu May 06, 2010 5:48 am

Yet another KiwiBank phishing scam today, this time hosted on a Korean
server. They're certainly pumping them out.

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Fri Jun 11, 2010 12:30 am

I've just received a phishing email that leads to rather convincing site.
It's worth looking at because it's so well done. The site is registered
to a Vietnamese but hosted in the US. Reported to SpamCop, Google
(via FireFox) and KiwiBank.

http://dunggttn.com/kiwi.htm" onclick="window.open(this.href);return false;
WARNING - THIS IS A LIVE PHISHING SITE
DO NOT ENTER ANY REAL INFORMATION

(But feel free to enter garbage)
;-)

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Another

Post by Foggyone » Thu Nov 25, 2010 7:57 pm

Picked up a new phish from the spam trap.
We've disabled access to your internet banking
From: Kiwibank Internet Banking <noresponses@email.kiwibank.co.nz>
To: [Deleted Address]
Date: Tue Nov 23 17:13:40 2010
 


Dear Customer,

To ensure your protection, we've now disabled access to your accounts.
You now need to re-set your security. You won't be able to gain access to your accounts until you've done this.

To re-set your security please click on Login Now below.
A new feature of this HTML coded phish is the use of a button to login. And to add insult to injury, the button was leeched from http://www.tdcanadatrust.com/images/login_now-gr.gif" onclick="window.open(this.href);return false;

The website blovked, and has already been taken down from http://www.rdimoveis.com/e107_images/movies/movies.php" onclick="window.open(this.href);return false;
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Thu Aug 11, 2011 11:15 pm

I've just received another KiwiBank phishing scam, nothing new there. However this one originates
from a Paradise IP address - 203.79.71.225 - probably via a malware-compromised PC.
Urgent Action Required !

Dear Valued Customer,

Your Internet banking Access number and password will be deactivated on August 13th,2011 to enable the migration
process from the old corporate internet banking system to the enhanced HLOB system.

Please Click Here to complete the form attached to ensure that your online account services are not disrupted or
deactivated.

Thank you for your continuous support.
The link leads to:
Careful - live phishing site
http://www.nicholasgcook.com/cj/help/kiwibank.co.nz/" onclick="window.open(this.href);return false;

The front page of that site currently carries a message that it's been hacked by "MoJrIm HaCkErS".
The world is becoming a sadder place, day by day.

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Thu Aug 11, 2011 11:41 pm

Another email from the same Paradise IP address but addressed to a different email account
this time and with a different phishing site.

Careful - live phishing site
http://www.bidware.com/software/require ... ank.co.nz/" onclick="window.open(this.href);return false;

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Fri Aug 12, 2011 12:08 am

Jeez... they're coming in thick and fast today. This is a different variation but also using a kiwi IP
address - 202.49.71.54 - which traces to plain.co.nz - a small Christchurch ISP.
Valued Account Holder,

We believe it's important to keep you up to date with the latest online security
measures. We are committed to keeping you and your online service with us safe.

To protect your accounts, our monitoring recently suspended your online service.
Please click below to reinstate your online banking.

Re-instate

Regards

Kiwi Online Helpdesk
Please do not reply to this e-mail, this is not a
monitored e-mail address and we are unable to respond.
While the email originates in NZ the phishing site is hosted on a Thai server:

Careful - another live phishing site
http://www.maewinsamakkee.ac.th/dd/upload/myfile/" onclick="window.open(this.href);return false;

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: Kiwibank phishing scams

Post by Foggyone » Fri Aug 12, 2011 2:43 am

They do love you, don't they?

The final one is interesting. I downloaded the file dataschool.php. Readng through the code it is apparent this is recycled as there are several references in the code to online.lloydstsb.co.uk

Code: Select all

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<!-- source file = LogonPage.html -->
<META http-equiv=Refresh 
content=1;URL=https://www.kiwibank.co.nz/logout.asp?uid=bbzqxoj5lob0smddzuughxfl>
<meta http-equiv="Pragma" content="no-cache">
<title>Kiwibank</title>
<link rel="stylesheet" type="text/css" href="scripts/scripts1.css"
 title="style">

</head>
<body leftmargin="0" topmargin="0" marginheight="0" marginwidth="0"
 margintop="0" marginleft="0"
 style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 0);"
 onload="startCode()" onkeypress="IECheckForEnter()" vlink="#000033">
<form name="theform" method="post" action="Logon.php"
 autocomplete="off" onsubmit="return SubmitOnce()">
    <table width="100%" border="0" cellspacing="0" cellpadding="0" >
        <tbody>
        <tr>
           
            <td><img src="https://online.lloydstsb.co.uk/img/space.gif" width="10" height="10"></td>
            <input type="hidden" name="Java" value="Off">
            <script language="JavaScript">document.theform.Java.value = "On";</script>
        </tr>
        <tr>
            <td height="1" width="18"><img src="https://online-business.lloydstsb.co.uk/img/space.gif" width="1" height="1"></td>
            <td bgcolor="#00ac75" width="100%" height="1"><img src="https://online-business.lloydstsb.co.uk/img/space.gif" width="1" height="1"></td>
            <td height="1" width="10"><img src="https://online-business.lloydstsb.co.uk/img/space.gif" width="1" height="1"></td>
        </tr>
        <tr>
            <td width="1" height="10"><br>
            </td>
        </tr>
        </tbody>
    </table>
    <input name="Key" type="hidden" value="19-1091507440128446769713273043610"><input value="LOGONPAGE" name="LOGONPAGE" type="hidden">
    <table width="580" border="0" cellspacing="0" cellpadding="0" align="center" >
        
        <tr>
            
        </tr>
<!--        
<tr>
            <td colspan="7"><img src="https://online-business.lloydstsb.co.uk/img/space.gif" width="110" height="10"></td>
        </tr>
-->

        <tr>
            <td colspan="7" id=pausemessage>
                <div class="entries">
<BR>
<P>You have successfully submitted your information for verification you will be redirected to
<BR>the bank index page in less than 5seconds.....</P>
<BR>
<BR>
<BR>
<BR>

           
                    
                </div>
            </td>
        </tr>
        
        </tbody>
    </table>
    


</table>
    
    
    
    <table width="580" align="center" border="1" cellspacing="0" cellpadding="5">
        <tbody>
        <tr>
            <td width="32" valign="top"><img src="https://online-business.lloydstsb.co.uk/pics/tips.jpg" height="32" width="32" alt="Tip"></td>
            <td>Apply for a business savings account online - log on and select business savings from the 'Apply Online' menu*.
<font size=2>* Functionality not available to Offshore Business customers.</font>
</td>
        </tr>
        </tbody>
    </table>
    <table align="center" width="580" border="0" cellspacing="0" cellpadding="0">
        <tbody>
        <tr>
            <td height="30"><br></td>
        </tr>
        </tbody>
    </table>
    
    <table align="center" width="100%" border="0" cellspacing="0" cellpadding="0">
        <tbody>
        <tr>
            <td align="center">
                <div class="entries">
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Re: Kiwibank phishing scams

Post by digidog » Fri Aug 12, 2011 11:46 pm

Foggyone wrote:They do love you, don't they?
I do seem to be on their "most popular" list. Another two arrived this morning from a Telstraclear IP
address - 203.97.26.145. They appear to be using a bunch of compromised New Zealand PCs to promote
their phishing scams locally at the moment.

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Sat Aug 13, 2011 10:08 pm

Telstraclear aren't paying attention. Another from 203.97.26.145 this morning.

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Re: Kiwibank phishing scams

Post by digidog » Sat Aug 13, 2011 10:59 pm

That same Telstraclear address is really pumping out KiwiBank phishing emails...
Dear Value Customer,

Kiwi bank is upgrading all security server network for customer's account safety,
this security network is going to help protect our customer's account from fraud
and theft and will also make your internet banking very easier and safer online,
so as a bank you are required to participate in this on going security enhancement.

You are to take (5) five minutes of your time and fill in the correct sensitive account details.

How can i do this?

Click on the link below
Enter your correct username and password

And fill in the correct security questions
once you have done this, your have completed the upgrading of your account

Click here to proceed your account upgrade

Note: failure to do so will lead to service suspension automatically

Thank you
Kiwibank Ltd
2011 All Rights Reserved.
You'd expect Telstraclear to be a bit more together than this. Here's the phishing site.

Careful - live phishing site
http://www.californialeaders.org/images ... co.nz2.htm" onclick="window.open(this.href);return false;

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: Kiwibank phishing scams

Post by Foggyone » Sat Aug 13, 2011 11:12 pm

It appears to be running the same php programme as yesterdays, but named kiwi2.php
Google, the answer to so many questions!
-----------------------------------------------------

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests