We are now able to provide more details on the Wachovia Phishing Scam that we warned about in a previous post a few days ago, as we received one of the phishing emails here at WebSpawner this weekend.
Following is the text of the email as we received it, with relevant header information included:
From: “Wachovia connection Update”
Subject: Wachovia Connection Alert – Update.
Received: from 46-7-112-92.pool.ukrtel.net (unverified [220.127.116.11])
Content-Type: multipart/alternative; boundary=”=_9OyEKqboHv5TFx”
WACHOVIA CORPORATION NOTICE.
At Wachovia we’ve re-imagined what’s possible for online cash management.
The next step in the transformation of Wachovia Connection is access through a new Wachovia Security Plus Certificate.
This will allow you to access securely the Wachovia Connection and other online services.
All users will be notified and must manually install the Wachovia Security Plus Certificate.
Installation takes about two minutes.
Start installation process now>>
Sincerely, Betsy Parsons.
2008 Wachovia Corporation.
All rights reserved.
The “Start installation process now>>” text in the email is a link to what appears to be a Wachovia impostor web site with a long URL address at a “polesbue.com” domain. For security purposes we have not included the link itself in the message text above, to prevent any viewers of this article from accidentally accessing the impostor site. The site contains a link to “Download the latest WachoviaDCertInstall.exe release”, which is an executable file that could include a computer virus or trojan horse.
Wachovia bank itself is not the sender of these emails; the “From” address in the email is spoofed to appear to come from Wachovia. A search of the ARIN WHOIS database for the IP address shown in the “Received: from” line of the header information indicates that the message was sent through an IP address associated with a “RIPE Network Coordination Centre” located in Amsterdam. That isn’t to say that RIPE itself is responsible for the message; it may have been sent by another individual or party using RIPE’s services or mail server.
Should you receive a message like the one above, you should delete it without clicking the link it contains.