Fraudulent Email in the Name of Bank of America

Posted by Sun on January 6, 2007
Advertisements

There’s an email in my Inbox this morning. The “From” field says “Bank of America” and the subject of the message reads “Account Suspension Case #00302353213″ and the body of the message seems legitimate

The first sign that this may be a fraudulent email I noticed is the mail says there was an unsuccessful access on “24 June 2006.” It could be more believable if it says “January 5, 2007″ than “24 June 2006″ as I checked my account last night and do we really use the “24 June 2006″ format?

When I move the mouse cursor over the “click here” link, it shows the following URL

http://www.fracchetti.it/alessandro/blog//content/www.bankofamerica.com/cgi-bin/common/update%20your%20account%20information/sign%20in/

and the page at the above URL again looks authentic

In fact, all the links at the bottom of the page are real BoA links, except the three on top right which point to the same URL but with no actual page associated with them.

Actually, I think an easy step to determine whether it’s an authentic message is to check exactly where it is from, not what it claims where it is from (the email address). In this case, the email address Bank of America <onlinebanking@alert.bankofamerica.comcom> is already suspicious. Once I clicked the Full Header option (not the compact header which only shows From, To, and Subject) from my Yahoo email, the entire path of how this message reached mailbox is revealed:

From Bank of America Fri Jan  5 10:34:38 2007
X-Apparently-To: —@yahoo.com via 206.190.39.155; Sat, 06 Jan 2007 07:53:18 -0800
X-Originating-IP: [70.86.247.130]
Return-Path: <nobody@server3.polaristar.com>
Authentication-Results: mta352.mail.mud.yahoo.com  from=alert.bankofamerica.comcom; domainkeys=neutral (no sig)
Received: from 70.86.247.130  (EHLO server3.polaristar.com) (70.86.247.130)
by mta352.mail.mud.yahoo.com with SMTP; Sat, 06 Jan 2007 07:53:17 -0800
Received: from nobody by server3.polaristar.com with local (Exim 4.52)
id 1H2ttm-00039v-En
for —@yahoo.com; Fri, 05 Jan 2007 12:34:38 -0600
To: —@yahoo.com
Subject: Account Suspension Case #00302353213
From: Bank of America  <onlinebanking@alert.bankofamerica.comcom>
Reply-To: b-SEA-707363805-1@alert.bankofamerica.com
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1H2ttm-00039v-En@server3.polaristar.com>
Date: Fri, 05 Jan 2007 12:34:38 -0600
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – server3.polaristar.com
X-AntiAbuse: Original Domain – yahoo.com
X-AntiAbuse: Originator/Caller UID/GID – [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain – server3.polaristar.com
X-Source:
X-Source-Args:
X-Source-Dir:
Content-Length: 1337

Though this apparently is a scam email, Yahoo’s DominKey failed to flag it. And the email was send from server3.polaristar.com which has nothing to do with Bank of America. Using a free IP lookup tool at IP2Location.com, I found the sender’s location is at Dallas, Texas.

After determining that this is a fraudulent email, I forwarded the entire message to BoA for further investigation. In the reply email, BoA says

Thank you for contacting Bank of America to report a potentially fraudulent mail, commonly referred to as a “phishing” email. We take your security very seriously and will investigate this matter immediately. If our investigation determines that the email is fraudulent, we will take steps to have the site shut down.

I only hope they can really do what they promised to do “have the site shut down.”

If you found information on this Diary helpful, please consider subscribing to the full RSS feed (What's RSS feed?), or enter your email below to receive free daily update.

Your address is secure and will only be used to deliver the contents of this Diary. You can unsubscribe at any time.

Related Articles You Don't Want To Miss
Categories : Tech

Trackbacks & Pingbacks
4 Comments
January 7, 2007

There’s a lot of BofA fraud out there. I used to get fraudulent telemarketing calls all the time.

It’s seems everyone’s getting in on the act now. Thanks for the head-ups since I own multiple accounts with Bank of America.

Nice investigative work!

Posted by TJP
January 8, 2007

Good catch…BoA seems to be a favorite target for scammers.

I am surprised why scammers can be so dumb as to make those “24 June 2006″ thing….while they are smart enough to make a website and design it to steal your information. :) They always make some stupid mistake :)

Posted by Golbguru

Sorry, the comment form is closed at this time.

invisible tracker