New Phishy: "Wells Fargo AMT service upgrade"

[MrLinus]

How convient and so security-minded of Wells Fargo. Interesting too that it goes to http://200.155.4.91:81/1/index.php (down at this time) rather than Wells Fargo's Official Site:

% Copyright registro.br
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to domain name and IP number registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2004-10-04 09:55:26 (BRT -03:00)

inetnum: 200.155.0/19
aut-num: AS16397
abuse-c: ABC204
owner: Comdominio Soluções de Tecnologia S/A.
ownerid: 003.672.254/0001-44
responsible: Area de Engenharia - comDominio
address: Rua Dr. Miguel Couto, 58,
address: 01008-010 - Sao Paulo - SP
phone: (11) 3351-4325 []
owner-c: AEC81
tech-c: GRC66
inetrev: 200.155.0/20
inetrev: 200.155.16/23
inetrev: 200.155.18/24
nserver: NS1.DATACENTER1.COM.BR
nsstat: 20041002 AA
nslastaa: 20041002
nserver: NS2.DATACENTER1.COM.BR
nsstat: 20041002 AA
nslastaa: 20041002
nserver: NS3.DATACENTER1.COM.BR
nsstat: 20041002 AA
nslastaa: 20041002
inetrev: 200.155.20/22
nserver: NS1.DATACENTER1.COM.BR
nsstat: 20041003 AA
nslastaa: 20041003
nserver: NS2.DATACENTER1.COM.BR
nsstat: 20041003 AA
nslastaa: 20041003
nserver: NS3.DATACENTER1.COM.BR
nsstat: 20041003 AA
nslastaa: 20041003
inetrev: 200.155.24/21
nserver: NS1.DATACENTER1.COM.BR
nsstat: 20041002 AA
nslastaa: 20041002
nserver: NS2.DATACENTER1.COM.BR
nsstat: 20041002 AA
nslastaa: 20041002
nserver: NS3.DATACENTER1.COM.BR
nsstat: 20041002 AA
nslastaa: 20041002
created: 20010828
changed: 20020909

nic-hdl-br: ABC204
person: Abuse @ comDominio
e-mail: abuse@COMDOMINIO.COM.BR
address: Rua Dr. Miguel Couto, 58,
address: 01008-010 - Sao Paulo - SP
phone: (11) 3351-4325 []
created: 20030625
changed: 20030625

nic-hdl-br: AEC81
person: Area de Engenharia - comDominio
e-mail: registro@COMDOMINIO.COM.BR
address: Rua Dr. Miguel Couto, 58,
address: 01008-010 - São Paulo - SP
phone: (11) 3351-4325 []
created: 20020909
changed: 20030623

nic-hdl-br: GRC66
person: Gerencia de Redes - comDominio
e-mail: registro@COMDOMINIO.COM.BR
address: Rua Dr. Miguel Couto, 58,
address: 01008-010 - Sao Paulo - SP
phone: (11) 3351-4325 []
created: 20020909
changed: 20040126

remarks: Security issues should also be addressed to
remarks: nbso@nic.br, http://www.nbso.nic.br/
remarks: Mail abuse issues should also be addressed to
remarks: mail-abuse@nic.br

% whois.registro.br accepts only direct match queries.
% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
% IP and AS numbers.

And even more interesting is the source:

Code:

<html>
<body>
<table cellspacing="0" cellpadding="0" width="601" border="0">
  <tbody>
    <tr>
      <td colspan="2"></td>
    </tr>  <tr>
    <td colspan="2"> </td>
  </tr>

    <tr>
      <td width="500" height="324" align="left" valign="top">
        <table cellspacing="0" cellpadding="0" width="545" border="0">
          <tbody>
            <tr>
              <td width="20"> </td>
              <td valign="top" align="left" width="476"><div align="justify">
                

</p>
                

<font face="Arial, Helvetica, sans-serif" size="2">Dear Wells Fargo customer, </font></p>
                

<font face="Arial, Helvetica, sans-serif" size="2">                    In order to be prepared for the smart card upgrade on Visa and MasterCard debit and credit cards and to avoid problems with our ATM services, we have recently introduced additional security measures and upgraded our software.</font> <font face="Arial, Helvetica, sans-serif" size="2">

                    

                    This security upgrade will be effective immediately and requires our customers to update their ATM card information. Please update your information here

                    

 &copy; Wells Fargo Customer Support Dept. 

                    

                  </font> </p>
              </div></td>
              <td width="10"></td>
            </tr>
          </tbody>
      </table></td>
    </tr>
    
  </tbody>
</table>
<font color=#FFFFFF>1532 l 3  1356 optimal  Gloria</font>
<font color=#FFFFFF>0 D cumin birdie aching arsenic owing interpretive zip dolce winnipeg turnpike  lubbock R0lGODlhggHMALNSAKMA 2085 </font>
</body></html>

----7616889477559604--

Info has been forwarded to AntiPhishing Workgroup

[devildell]

that is interesting.....

THIS INFORMATION ABOVE IS WHY I ENJOY BEING A MEMBER OF AO.....

the sad thing is that probibly hundreds of people fell for it......

[kurt_der_koenig]

umm..Very interesting. MsMittens do you think you were a prime target or just someone in a line of names? This is one reason why learning some code helps, one doesn't get that from WYSIWYG progs.

[MrLinus]

Naw. I'm Canadian. Wells Fargo has diddly to do with ATMs up here. It'd be better if CIBC or Royal Bank or one of the other "Big 5" (as they are called) had sent that. Then it'd look a little more legit. Plus that "AMT" typo was rather a big hint!

I get these now and again. And I find them amusing to say the least. The other recent one that made me giggle was a variation on the Nigerian/419 scam. Except this one was for China. There EVERYWHERE!