HSBC - Phishing sites

[Garreg Ddu]

HSBC bank phishing scam. tries to get account details and passwords etc.


From: Hsbc Alert Security
Received: from 41.251.39.221 (IP may be forged by CGI script) (This IP address points to a public free email service on an ISP Host in Morocco)
Sent: Wednesday, April 16, 2008 8:48 PM
To: ***********@hotmail.com
Subject: Your Hsbc Account information Needs to Be Updated

Dear Hsbc Customers Upgrade

Due to concerns, for the safety and integrity of the Hsbc
account we have issued this warning message.

It has come to our attention that your Hsbc account information needs to be updated as part of our continuing commitment to protect your account in this year 2007 and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update our personal records you will not run into any future problems with the online service.

Once you have updated your account records your Hsbc account service will not be interrupted and will continue as normal.

To update your Hsbc records click on the following link:
http://www.hsbc.co.uk/1/2/personal/ Which is a "false" link, and actually points to a server in Kentucky, U.S.A.

http://www.hsbc.co.uk/

Thank You.

Accounts Management As outlined in our User Agreement, Hsbc will
periodically send you information about site changes and enhancements.

Visit our Privacy Policy and User

[Hua Mulan]

Return-Path: ~admin@hsbc.co.uk>
Received: from 80.74.136.2, Switzerland, aurelius.metanet.ch (aurelius.ch-meta.net [80.74.136.2])
Reply-To: ~no-reply@hsbc.co.uk>
From: "HSBC BANK"~admin@hsbc.co.uk>
Subject: Restore your hsbc online bank account
Date: Tue, 27 May 2008


Due to the recent update of the servers, you are requested to please update your account info at the following link
http www hsbc co uk 1 2 HSBCINTEGRATION

HSBC Bank plc always look forward for the high security of our clients. Some customers have been receiving an email claiming to be from HSBC Bank plc advising them to follow a link to what appear to be a HSBC Bank plc web site, where they are prompted to enter their personal Online Banking details. HSBC Bank plc is in no way involved with this email and the web site does not belong to us.

HSBC Bank plc is proud to announce about their new updated secure system. We updated our new SSL servers to give our customers a better, fast and secure online banking service on the home page.

*Important*
We have asked few additional information which is going to be the part of secure login process. These additional information will be asked during your future login security so, please provide all these info completely and correctly otherwise due to security reasons we may have to close your account temporarily.

http www hsbc co uk 1 2

Nicole Smith
Security Advisor
HSBC Bank Plc

[Kittychan]

But there is not link.

Return-Path: ~security@hsbc.co.uk>
Received: from 81.91.159.207, Iran, Petro Iran, Abuse report to [abuse@datak-telecom.net]
Reply-To: ~security@hsbc.co.uk>
From: "HSBC Online Banking"~security@hsbc.co.uk>
Subject: Security Measures !
Date: Sun, 6 Jul 2008


Dear Custumer,

Because of unsual number of invalid login attempts on your account, we had to belive that, their might be some security problems on your account. So we decided to put an extra verification process to ensure your identify and your account security. To continue the verification process and ensure your account security Sign in to Online Banking.S

[Garreg Ddu]

If it wasn't so nasty, it would be funny - the scammer has forgotten to reset his email domains correctly and this email from "HSBC" has an address "@lloydstsb.com" - but then who would expect a stupid criminal thug to get everything correct.

Received: from mail.subdere.gov.cl ([146.82.90.34]) by bay0-mc7-f2.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 3 Nov 2008 09:49:05 -0800

Origin IP Address = 146.82.90.34 = Global Crossing, 14605 South 50th Street, Phoenix, AZ 85044-6471, US

Received: from localhost (localhost [127.0.0.1]) by mail.subdere.gov.cl (Postfix) with ESMTP id A9B1E4861E0 for <*******@hotmail.com>; Mon, 3 Nov 2008 12:13:46 -0300 (CLST)

To: ********@hotmail.com
Subject: Avoid service suspension..
From: HSBC BANK <onlineservice.info@lloydstsb.com>
Reply-To: HSBC BANK <onlineservice.info@lloydstsb.com>
Date: Mon, 3 Nov 2008 12:03:36 -0300 (CLST)
Return-Path: www-data@subdere.gov.cl



Dear Customer,

HSBC is constantly working to increase security for all online banking users. To ensure the integrity of our online payment system, we periodically review accounts.

Your account have been placed on hold due to possible errors dectected with your code card. Restricted accounts will not be able to receive payments, send payments or withdraw funds.

All restricted accounts have their billing information unconfirmed, until updated on file.

To initiate the update confirmation process, you are now required to follow the link below and fill in the necessary fields. Kindly click on the link below to continue with the verification process and ensure the security of your account.

Account Re-activation Phishing site link is disabled - on a server in Russia and already in the PhishTank, NetCraft and McAfee SiteAdvisor and we hope it is doomed.....

Important Notice: You are strictly advised to match your information rightly to avoid service suspension.

Thank you for your co-operation.


(c) Copyright HSBC 2008. All rights reserved.

[Ben]

If it wasn't so nasty, it would be funny - the scammer has forgotten to reset his email domains correctly and this email from "HSBC" has an address "@lloydstsb.com" - but then who would expect a stupid criminal thug to get everything correct.

>

[Garreg Ddu]

Received: from fs02.spacedump.pp.se (localhost [127.0.0.1]) by fs02.spacedump.pp.se (8.13.6/8.13.6) with ESMTP id mAD5F2Vv056674 for <********@hotmail.com>; Thu, 13 Nov 2008 06:15:02 +0100 (CET) (envelope-from www@fs02.spacedump.pp.se)
Received: (from www@localhost) by fs02.spacedump.pp.se (8.13.6/8.13.6/Submit) id mAD5F2e5056673; Thu, 13 Nov 2008 06:15:02 +0100 (CET) (envelope-from www)

Date: Thu, 13 Nov 2008 06:15:02 +0100 (CET)
To: ********@hotmail.com
Subject: Important Update-(HSBC Bank Ownership Verification Alert)

X-SD-PHP-Script: www.shell.linux.se/wint3r/ADF/phpBB2////viewtopic.php for 41.219.243.193

Origin IP Address = 41.219.243.193 = STARCOMMS-MNT, NAVNEET SINGH, Plot 1261, Bishop Kale Close, off Saka Tinubu, Victoria Island, Lagos, Nigeria

From: Hsbc Bank Plc <Security@hsbc.online.co.uk>
Reply-To:
Return-Path: www@fs02.spacedump.pp.se


Dear Customer,


We value your relationship with Hsbc Bank to serve you better,we are installing the Best Banking software and would require you Update Your Online Banking Records.

This is being done to secure your accounts and to protect your personal informations from being compromised.We at Hsbc Bank are committed in making sure that your online transactions are secure.

Click on the link below to Update your Account Records
Online e-Banking Log-On Link disabled as still actively "Phishing". Reprted to NetCraft, on McAfee SiteAdvisor and in the "Phish Tank" so it should die fairly soon!

Once your information has been updated and confirmed your online service would continue as usual and would not be interrupted

Sincerely,
HSBC Bank Plc.
Online Customer Service

[Marie]

It is strange email.

Return-Path: <aw-secure@hsbc.co.uk>
Received: from 64.244.63.185, America server, XO Communications, Point North Networks
From: "HSBC Online Banking"<aw-secure@hsbc.co.uk>
Subject: Your Online Account Needs Re-activation
Date: Mon, 10 Nov 2008


Spam detection software, running on the system "server.catch22media.com", has identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details.

Content preview: www.hsbc.co.uk Dear valued HSBC Bank PLC Customer, We recently have determined that different computers have logged into your HSBC Online Banking account,and multiple password failures were present before the logons. We now need you to log into your account and verify your account activity.ccount we have issued this warning message. [...]

Content analysis details: (14.8 points, 7.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000]
1.3 MISSING_HEADERS Missing To: header
3.0 TVD_PH_REC BODY: Message has a phrase standard for phishing mails
1.5 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 MPART_ALT_DIFF BODY: HTML and text parts are different
1.5 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: tcheloco.com.br]
0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
-0.0 AWL AWL: From: address is in the auto white-list

The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor.

[Garreg Ddu]

Received: from smtp-out114.alice.it ([85.37.17.114]) by bay0-mc1-f22.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Tue, 25 Nov 2008 20:58:39 -0800
Received: from FBCMMO03.fbc.local ([192.168.68.197]) by smtp-out114.alice.it with Microsoft SMTPSVC(6.0.3790.1830); Wed, 26 Nov 2008 05:58:41 +0100
Received: from FBCMCL01B05.fbc.local ([192.168.69.86]) by FBCMMO03.fbc.local with Microsoft SMTPSVC(6.0.3790.1830); Wed, 26 Nov 2008 05:58:37 +0100
Received: from User ([87.7.114.70]) by FBCMCL01B05.fbc.local with Microsoft SMTPSVC(6.0.3790.1830); Wed, 26 Nov 2008 05:58:27 +0100

Origin IP Address = 87.7.114.70 = TELECOM-ADSL-7, Telecom Italia S.p.A. TIN EASY LITE, MDBLAB, Via Val Cannuta, 250, I-00100 Roma, ITALY

From: "HSBC Bank"<HSBC@191.it>
Subject: HSBC Online Internet Banking
Date: Wed, 26 Nov 2008 05.58.43 +0100
Bcc:
Return-Path: HSBC@191.it




From: HSBC Bank
Sent: Wednesday, November 26, 2008 12:00 AM
Subject: HSBC Online Internet Banking



--------------------------------------------------------------------------------
personal & business services

Security Alert
Please note that Your HSBC UK Online Banking Account has expired. Please use the link below to proceed and restore access to Your Account.

https://www.hsbc.co.uk/1/2/pib-home/login.asp Which goes to a Phishing site on a server in Belorus. Reported to NetCraft, McAfee SiteAdvisor, in the PhishTank.

[Garreg Ddu]

This Phish was dead even before the email arrived in one of my boxes.

X-SID-PRA: HSBC Bank Plc <onlineservice@hsbc.co.uk>
Received: from net-izb-52-253.net.izb.fraunhofer.de ([129.26.52.253]) by bay0-mc1-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Mon, 1 Dec 2008 05:25:43 -0800
Received: from 196.3.183.72 by net-izb-52-253.net.izb.fraunhofer.de (SMTPD); id s20081121163828.11456; Fri, 21 Nov 2008 16:38:28

Origin IP Address = 196.3.183.72 = Ladi Okuyene, B2 Broadband Ltd., Wuse II postoffice, PO Box, 13235, Wuse II, Abuja, FCT, Nigeria

From: "HSBC Bank Plc"<onlineservice@hsbc.co.uk>
Subject: HSBC Internet Banking Security Upgrade Notification
Date: Fri, 21 Nov 2008 16:38:34 +0100
Bcc:
Return-Path: onlineservice@hsbc.co.uk


The world's local bank


United Kingdom Home


Dear HSBC Customer:

As a bank we are used to thinking about security. At HSBC, we use industry standard security technology and practices, focusing on three key areas ? privacy, technology and identification to safeguard your account from any unauthorised access.

Our Technical services Department are carrying out a planned software upgrade for the maximum convenience of the users of online-services of the HSBC Bank.Please click on LOG ONTO INTERNET BANKING below to restore your account access as soon as possible.

>LOG ON TO INTERNET BANKING Link dead already, on a server in USA but linked back via Spain to the scammers. It had been reported to NetCraft, McAfee SiteAdvisor and Apple Safari Phishing detection.


Thank You,
Customer Advisory
HSBC Bank Plc

--------------------------------------------------------------------------------

Legal information | Accessibility | About HSBC | Site map | Issued for UK use only | (c) HSBC Bank plc 2002 - 2008.

[Garreg Ddu]

X-SID-PRA: Hsbc Internet Banking <security.alert@hsbc.co.uk>
Received: from server.verificationservice.com ([85.17.172.40]) by bay0-mc6-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Fri, 5 Dec 2008 10:27:04 -0800

Origin IP Address = 85.17.172.40 = LeaseWeb, P.O. Box 93054, 1090BB AMSTERDAM, Netherlands

To: **********@hotmail.com
Subject: Account Ownership Verification!!!
From: Hsbc Internet Banking <security.alert@hsbc.co.uk>
Reply-To:
Date: Fri, 05 Dec 2008 18:39:26 +0100




Dear Valued HSBC Customer



It has come to our attention that your Online account informations needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your billing records so that you will not run into any future problems with our online banking service. However, failure this will result in account suspensiony following the link below. .

https://Securityalert.HSBC.co.uk/1/2/ Which is a hidden re-direct to the Phishing site on a server in France. Already in NetCraft, McAfee SiteAdvisor, MS Phishing reports and Safari Phish Check.


HSBC Bank Plc
Security Advisor
HSBC Bank PLC.



--------------------------------------------------------------------------------

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your HSBC Online Bank account and choose the "Help" link on any page.

HSBC Email ID # 1009



See full details of our guarantee

Hsbc Bank PLC
Authorised and regulated by the Financial Services Authority
Registered in England
Registered No. 1026167

Internet communications are not guaranteed to be secure unless the data being sent is encrypted. Hsbc does not accept responsibility for loss arising from unauthorised access to Internet communications and/or the corruption of data by a third party.

Hsbc are unable to respond to replies sent to this email address.