Natwest Bank

Discussion in 'Phishing' started by Ben, Oct 7, 2007.

  1. Ben

    Ben Samurai

    Natwest Bank UK

    Dear NatWest Bank United Kingdom customer!

    Our Maintenance Division is performing a planned Internet Banking Service upgrade

    By clicking on the link below please start the procedure of the user login authorization:
    < Do not Click Link >
    [Edit: link removed]

    These directions are to be mailed and followed by all users of the National Westminster OnLine Banking

    NatWest Bank United Kingdom does apologize for the troubles caused to you, and is very grateful for your cooperation.

    If you are not user of NatWest Bank UK please ignore this e-mail!

    This is an automated message, please do not respond

    2007 National Westminster United Kingdom. All Rights Reserved.


    Subject: NatWest Bank UK Customer Mail: Password Authorization

    China
    IP: 58.50.84.155

    <<<<Mod edit: thanks for putting the warning Ben. I have altered some of the link so that it cannot be clicked accidentally! DMY >>>>>>>
     
    Last edited by a moderator: Oct 7, 2007
  2. Central Scrutinizer

    Central Scrutinizer Administrator Staff Member

    Graham Beale, chief executive

    I'm not exactly in the UK. In fact, I'm not even in Europe.

    From natwest bank online
    X-Originating-IP: [216.193.224.211] New York, IH Networks
    Return-Path: <nobody@phantom.elinuxservers.com>
    Subject: Update your account information for security reaons
    From: "natwest bank online" <security@online.natwest.com>


    Dear Valuable Customer,

    During our regular update and verification of the Natwest Online Banking Service, we could not verify your current information. It's either your information has been changed or incomplete, as a result your access to use our services has been limited.

    To restore your online banking access, kindly update your information by following the link below.

    Click here to update your account

    Thank you for banking with Natwest Bank .

    Graham Beale
    Chief Executive
     
  3. Access Suspended‏
    From: NatWest Online Banking (onlinesecurity@natwest.com)
    Sent: 04 January 2008 10:58:17


    Dear customer,

    NatWest Bank Plc is committed to protecting your personal data as well as your money. NatWest Bank Plc combines a wide variety of fraud prevention programs, During our regular update and verification of Online Banking Service, we could not verify your current information. Either your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information.
    Click on Link below to effect the update and keep your account secure

    https www natwest co uk


    Important Notice:- You are strictly advised to match your Security Question and Answers rightly to avoid service suspension.

    Thank You.

    NatWest Online Banking Plc
    Online Banking Customer Care Services


    --------------------------------------------------------------------------------

    This web site is operated by NatWest Online Banking Group Privacy | Legal | Trade-marks & Copyrights | Online Banking Security © NatWest Bank Plc 1996, 2002, 2003-2007
     
    Last edited by a moderator: Jan 8, 2008
  4. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Natwest Online Security Department Notice

    Oh Dear! The scammer(s) use of English has really impressed in this one.
    ---------------------------------------------------------------------
    *MESSAGE* Natwest Online Security Department Notice #1From: Natwest Bank (onlineservice@Natwest.com)
    Sent:07 March 2008 19-30-07
    To:

    Dear NatWest Online Account Holder,

    During our usual security enhancement protocol, we observed multiple login attempt error while login in to your online NatWest account.

    We have believed that someone other than you is trying to access your account

    For security reasons,we have temporarily suspend your account and your access to online banking and will be restricted if you fail to update.

    Please click on the refrence below to initiate the verification process. and re-confirm your membership details.

    *Link removed*

    Only individuals who have a Natwest account and authorised access to Online Banking should proceed beyond this point. For the security of customers, any unauthorised attempt to access customer bank information will be monitored and may be subject to legal action. ...... Ye Gods - a scammer with a threat of legal action against unauthorised access....
    ---------------------------------------------------------
    This has been reported to phishing@natwest.com and acknowledged.
     
  5. Central Scrutinizer

    Central Scrutinizer Administrator Staff Member

    Garreg Ddu said:
    yeah, hard to imagine a scammer suing himself. Still...they might be just stupid enough.....
     
  6. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    A new format for this bank

    This scam is from the same source as Halifax bank post #29 with identical text except for the bank name.

    Received: from smtp-s4.menara.ma ([81.192.53.76]) by bay0-mc10-f23.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);Morocco-MAROC TELECOM- 6713, MAROC TELECOM Noeud Internet.

    Thu, 15 May 2008 08:07:02 -0700
    Received: from User (unknown [41.251.105.55])
    by smtp-s4.menara.ma (Menara) with SMTP id 2EBA44DC01A; Menara.ma, Direction Internet ,division operation Rabat, Maroc.

    Thu, 15 May 2008 14:45:03 +0000 (WET)
    Return-Path:OnlineBanking@uk.Natwest.Com
    From:OnlineBanking@uk.Natwest.Com
    Sent: Thursday, May 15, 2008 4:06 PM
    To: undisclosed-recipients:
    Subject: Natwest Alert : For security reasons,we have temporarily suspend your account

    Dear NatWest Online Account Holder,

    During our usual security enhancement protocol,

    we observed multiple login attempt error while login in to your online NatWest account.

    We have believed that someone other than you is trying to access your account

    For security reasons,we have temporarily suspend your account

    and your access to online banking and will be restricted if you fail to update.

    Please click on the refrence below to initiate the verification process. and re-confirm your membership details.

    Link to trap site removed as it is active and not flagged by McAfee SiteAdvisor, yet...

    Only individuals who have a NatWest account and authorised access to OnLine Banking should proceed beyond this point. For the security of customers, any unauthorised attempt to access customer bank information will be monitored and may be subject to legal action.
     
  7. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Trap site from previous post now flagged correctly by McAfee SiteAdvisor, ;)

    (Trap site) may try to steal your information.
    Why were you redirected to this page? When we visited this site, we found it may be designed to trick you into submitting your financial or personal information to online scammers. This is a serious security threat which could lead to identity theft, financial losses or other dissemination of personal information.
     
  8. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Scammer uses a soccer theme!

    Received: from smtp20.orange.fr (mwinf2006 [172.22.130.34])
    by mwinf2015.orange.fr (SMTP Server) with ESMTP id B34F31C4A3C5;
    Sat, 7 Jun 2008 13:14:37 +0200 (CEST)
    Received: from User (ml82.128.11.113.multilinks.com [82.128.11.113])
    by mwinf2006.orange.fr (SMTP Server) with ESMTP id 402D41C0009E;
    Sat, 7 Jun 2008 13:13:01 +0200 (CEST)
    Multilinks Telecommunications Limited, 231 Adeola Odeku Str., Victoria Island, Lagos, Nigeria

    From: NatWest
    Sent: Saturday, June 07, 2008 9:10 PM
    To: undisclosed-recipients:
    Subject: Security/Server Upgrade

    Dear Natwest Banking Member,

    Due to the high number of fraud attempts and phishing scams, it has been decided to implement EV
    SSL Certification on this Internet Banking website.

    The use of EV SSL certification works with high security Web browsers to clearly identify whether
    the site belongs to the company or is another site imitating that company's site.

    It has been introduced to protect our clients against phishing and other online fraudulent activities.
    Since most Internet related crimes rely on false identity, Natwest Bank went through a rigorous validation
    process that meets the Extended Validation guidelines.

    Please update your account to the new EV SSL certification by Clicking here. Which is a link to a "Sheffield Wednesday" supporter's site in the USA which the criminal has hacked into.

    You are strictly advised to login into your Natwest account using the above link.
    Your Natwest account will automatically be added to our recent internet banking security system.


    (Failure to verify your account details correctly will lead to account suspension)

    Thank you.
    Account Sentinel Service
    © National Westminster Bank Plc Online Customer Service: 1998 - 2008

    (Do not reply to this email. Natwest retains the right to send you periodic updates on alerts and services).
     
  9. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Anyone remember JR Ewing - This one is in DALLAS

    The criminal(s) hacking has put the "phishing" pages into the "Ultimate Dallas" fan site for the US Western Soap. But the email is constructed so badly the link doesn't work and the trap site (disarmed) is the title. Doh.

    Received: from cratos.burtonhosting.com ([65.254.38.194]) by bay0-mc7-f18.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
    Thu, 19 Jun 2008 03:05:07 -0700 ISP is Burtonhosting.com, Atlanta, GA. USA

    From: NatWest
    Sent: Thursday, June 19, 2008 11:05 AM
    To: ********@hotmail.com
    Subject: http //www ultimatedallas com camille mail php

    Dear Natwest Banking Member,

    Due to the high number of fraud attempts and phishing scams, it has been decided to implement EV
    SSL Certification on this Internet Banking website.

    The use of EV SSL certification works with high security Web browsers to clearly identify whether
    the site belongs to the company or is another site imitating that company's site.

    It has been introduced to protect our clients against phishing and other online fraudulent activities.
    Since most Internet related crimes rely on false identity, Natwest Bank went through a rigorous validation
    process that meets the Extended Validation guidelines.

    Please update your account to the new EV SSL certification by Clicking here. Which is where the concealed URL for the "phishing" page should be, but the scammer has failed to put the correct HTML link there!

    You are strictly advised to login into your Natwest account using the above link.
    Your Natwest account will automatically be added to our recent internet banking security system.


    (Failure to verify your account details correctly will lead to account suspension)
    Thank you.

    Account Sentinel Service
    © National Westminster Bank Plc Online Customer Service: 1998 - 2008

    (Do not reply to this email. Natwest retains the right to send you periodic updates on alerts and services).
     
  10. Dororo

    Dororo Administrator Staff Member

    Return-Path: <accounts@natwest.com>
    Received: from 24.235.111.114, Canada, Rogers Cable Communications Inc.
    Reply-To: <no-reply@natwest.com>
    From: "NatWest Bank PLC"<accounts@natwest.com>
    Subject: IMPORTANT SECURITY ALERT
    Date: Wed, 2 Jul 2008


    IMPORTANT SECURITY ALERT

    Please note that our system recently noted that your attemption of signing on to your account was failed while some errors occured during the processing update of your online account you are having with our bank. We sincerely here by to notify you that you should kindly follow below link to update your online account for your security safety ensured by our financial insititution.

    https www nwolb com default aspx refererident upgrade

    Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience.

    If you choose to ignore our request, your account may leads to be temporarily suspended
     
  11. Miyuki

    Miyuki Administratrix Staff Member

    From our mail. No headers.

    From: Natwest Online Banking [tophalf@optusnet.com.au]
    Date: 12/11/08
    Subject: Important Notice!!! Account Security Alert!!!


    Dear Customer,

    We are currently updating our online banking services, and due to this upgrade we sincerely call your attention to follow below link and reconfirm your online account details. Failure to confirm the online banking details will suspend you from accessing your account online.

    Due to this, you are requested to follow the provided steps and confirm your Online Banking details for the safety of your Accounts.

    Click Here [Still an active link, for now]

    We use the latest security SSL measures to ensure that your online banking experience is safe and secure. The administration asks you to accept our apologies for the inconvenience caused and expresses gratitude for cooperation.

    Thanks for your co-operation,
    NatWest Online banking Security
     
  12. Ben

    Ben Samurai

  13. pablo

    pablo Member

    A few days ago I recieved an email that had a link to a NatWest fake phone online banking as part of an advanced fee fraud. The fake bank had a voice system with a number in Washington DC, Fax in Dallas and a (cell) phone number in New York.

    The website was in Denver.

    A real national bank :)

    p.
     
  14. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Trap site for this one was on a German site, which the hosts have taken down already as it had been reported by NetCraft, McAfee and several others.

    X-SID-PRA: NatWest Bank Online <sec.alert@natwest.com>
    Received: from server5.viahost.ru ([81.9.5.199]) by bay0-mc7-f18.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed, 10 Dec 2008 07:46:32 -0800

    Origin IP Address = 81.9.5.199 = ELTEL, SPB Network, 10N, 65-67, Chaykovskogo st., 191123 Saint-Petersburg, Russia

    Received: from nobody by server5.viahost.ru with local (Exim 4.69) (envelope-from <nobody@server5.viahost.ru>) id 1LAREH-0000q7-L9 for ********@hotmail.com; Wed, 10 Dec 2008 18:43:38 +0300
    To: ********@hotmail.com
    Subject: Important Notice!!! Account Security Alert!!!
    From: NatWest Bank Online <sec.alert@natwest.com>
    Reply-To:
    Date: Wed, 10 Dec 2008 18:43:38 +0300
    Return-Path: nobody@server5.viahost.ru


    Dear Customer,

    We are currently updating our online banking services, and due to this
    upgrade we sincerely call your attention to follow below link and reconfirm
    your online account details. Failure to confirm the online banking details
    will suspend you from accessing your account online.

    Due to this, you are requested to follow the provided steps and confirm
    your Online Banking details for the safety of your Accounts.

    Click Here Link to hacked site in Germany already disabled by hosts.

    We use the latest security SSL measures to ensure that your online
    banking experience is safe and secure. The administration asks you to
    accept our apologies for the inconvenience caused and expresses
    gratitude for cooperation.


    Thanks for your co-operation,
    NatWest Online banking Security
     
    Last edited: Dec 19, 2008
  15. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Almost identical to the previous post, but differs in origin IP address and emails:

    X-SID-PRA: Natwest Online Banking <tophalf@optusnet.com.au>
    Received: from User (mrtg.iolbd.net [122.152.52.5]) (authenticated sender tophalf@optusnet.com.au) by mail02.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id mBBMTvav026714; Fri, 12 Dec 2008 09:30:03 +1100

    Origin IP Address = 122.152.52.5 = Innovative Online Limited, Jiban Bima Bhaban (5th Floor), 56, Agrabad Commeercial Area, Chittagong. Bangladesh

    From: "Natwest Online Banking"<tophalf@optusnet.com.au>
    Subject: Important Notice!!! Account Security Alert!!!
    Date: Fri, 12 Dec 2008 04:35:30 +0600
    Bcc:
    Return-Path: tophalf@optusnet.com.au



    Dear Customer,

    We are currently updating our online banking services, and due to this
    upgrade we sincerely call your attention to follow below link and reconfirm
    your online account details. Failure to confirm the online banking details
    will suspend you from accessing your account online.

    Due to this, you are requested to follow the provided steps and confirm
    your Online Banking details for the safety of your Accounts.

    Click Here The link to a Phishing page on a site in Spain is dead already, having been reported by NetCraft and McAfee SiteAdvisor.

    We use the latest security SSL measures to ensure that your online
    banking experience is safe and secure. The administration asks you to
    accept our apologies for the inconvenience caused and expresses
    gratitude for cooperation.


    Thanks for your co-operation,
    NatWest Online banking Security
     
  16. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    X-SID-PRA: NatWest Online Banking <onlineservices@NatWest.com>
    Received: from sl12.internetworks.com.mx ([216.29.152.112]) by bay0-mc9-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sat, 13 Dec 2008 10:35:59 -0800
    Received: (qmail 88721 invoked by uid 2525); 13 Dec 2008 12:35:24 -0600
    Date: 13 Dec 2008 12:35:24 -0600
    Message-ID: <20081213183524.88719.qmail@sl12.internetworks.com.mx>
    To: ********@hotmail.com
    Subject: Important Security Notice From NatWest!!!
    X-PHP-Script: www.starmedios.com//chat/inc/cmses/aedating4CMS.php for 41.219.205.15

    Origin IP Address = 41.219.205.15 = Assigned to Lagos dial-pool customers, NAVNEET SINGH, Plot 1261, Bishop Kale Close, off Saka Tinubu, Victoria Island, Lagos, Nigeria

    From: NatWest Online Banking <onlineservices@NatWest.com>
    Reply-To:



    Dear Customer,

    We are currently updating our online banking services, and due to this
    upgrade we sincerely call your attention to follow below link and reconfirm
    your online account details. Failure to confirm the online banking details
    will suspend you from accessing your account online.

    Due to this, you are requested to follow the provided steps and confirm
    your Online Banking details for the safety of your Accounts.

    Click Here Link to a site in Spain is dead already, having been submitted to NetCraft and McAfee SiteAdvisor.

    We use the latest security SSL measures to ensure that your online
    banking experience is safe and secure. The administration asks you to
    accept our apologies for the inconvenience caused and expresses
    gratitude for cooperation.


    Thanks for your co-operation,
    NatWest Online banking Security
     
  17. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Yet another - same format, different IP addresses and origin:

    X-SID-PRA: NatWest Online Banking <onlineservices@natwest.com>
    Received: from User ([12.187.30.163]) by rg6.cniteam.com (MOS 4.1.1-FCS) with ESMTP id CKD64660 (AUTH cdoty@bright.net); Fri, 26 Dec 2008 10:05:53 -0500

    Origin IP Address = 12.187.30.163 = OSSI, 11465 CREST HILL RD, MARSHALL, VA 20115, US

    From: "NatWest Online Banking"<onlineservices@natwest.com>
    Subject: Important Security Notice From NatWest!!!
    Date: Fri, 26 Dec 2008 10:05:59 -0500
    Bcc:
    Return-Path: onlineservices@natwest.com


    Dear Customer,

    We are currently updating our online banking services, and due to this
    upgrade we sincerely call your attention to follow below link and reconfirm
    your online account details. Failure to confirm the online banking details
    will suspend you from accessing your account online.

    Due to this, you are requested to follow the provided steps and confirm
    your Online Banking details for the safety of your Accounts.

    Click Here The Phishing site, on a server in Indonesia, is still active, so the link is disabled. It is in NetCraft, McAfee SiteAdvisor, IE Phishing filter and has been posted in the Phish Tank.

    We use the latest security SSL measures to ensure that your online
    banking experience is safe and secure. The administration asks you to
    accept our apologies for the inconvenience caused and expresses
    gratitude for cooperation.


    Thanks for your co-operation,
    NatWest Online banking Security
     
  18. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    X-SID-PRA: NatWest Online Banking <inbar@simayof.com>
    Received: from mail.simayof.com ([64.173.147.222]) by bay0-mc10-f19.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 29 Dec 2008 11:49:55 -0800

    Origin IP Address = 64.173.147.222 = ADI SIMAYOF, SBC Internet Services, San Francisco, CA 94105, United States

    Return-Path: <inbar@simayof.com>
    From: "NatWest Online Banking"<inbar@simayof.com>
    Subject: Important Security Notice From NatWest!!!
    Date: Mon, 29 Dec 2008 18:32:01 -0000
    Bcc:


    Dear Customer,

    We are currently updating our online banking services, and due to this
    upgrade we sincerely call your attention to follow below link and reconfirm
    your online account details. Failure to confirm the online banking details
    will suspend you from accessing your account online.

    Due to this, you are requested to follow the provided steps and confirm
    your Online Banking details for the safety of your Accounts.

    Click Here The link to an active "Phishing" site in France is disabled. Reported to NetCraft, McAfee SiteAdvisor and in IE7 and Safari Phishing filters.

    We use the latest security SSL measures to ensure that your online
    banking experience is safe and secure. The administration asks you to
    accept our apologies for the inconvenience caused and expresses
    gratitude for cooperation.


    Thanks for your co-operation,
    NatWest Online banking Security
     
  19. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Oh I am sure NatWest need customers to verify software upgrades. This is a complete scam of the first order. Note the English grammar and usage, which is typical of scammers who are not English.

    X-SID-PRA: sec.alert@nwolb.com <sec.alert@nwolb.com>
    Received: from smtp20.orange.fr ([80.12.242.26]) by bay0-mc7-f18.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Fri, 2 Jan 2009 00:19:49 -0800

    Email server IP Address = 80.12.242.26 = France Telecom ROSI/DPS/MVU, Site Jasmin, 4 avenue du 8 mai 1945, 78284 Guyancourt Cedex, FRANCE

    Received: from User (i-195-137-92-187.freedom2surf.net [195.137.92.187]) by mwinf2018.orange.fr (SMTP Server) with ESMTP id 511E11C0009B; Fri, 2 Jan 2009 09:19:09 +0100 (CET)

    Origin IP Address = 195.137.92.187 = Freedom To Surf ltd, Static IP Subscribers, GB, via Pipex Internet, The Hinshelwood Building, Edmund Halley Road, Oxford Science Park, Oxford OX4 4GB, United Kingdom

    From: "sec.alert@nwolb.com" <sec.alert@nwolb.com>
    Subject: Update Your Account Informations For 2009
    Date: Fri, 2 Jan 2009 08:30:11 -0000
    To: undisclosed-recipients:;
    Return-Path: sec.alert@nwolb.com


    Dear client of NatWest Bank,

    Technical services of the NatWest Bank are carrying out a planned software upgrade. We earnestly ask you to visit the following link to start the procedure of confirmation on customers data.

    To get started, please click the link below:

    https://www.nwolb.com/Default.aspx? The Phishing pages are hacked into a server in Germany. The link is disabled here as it is still active. Reported to NetCRaft, McAfee SiteAdvisor and in IE Phishing filter.

    This instruction has been sent to all bank customers and is obligatory to follow.

    Thank you,

    Customers Support Service.
     
  20. Garreg Ddu

    Garreg Ddu Gweinyddwr Staff Member

    Another one from Germany. The Phishing site had been found and removed by the ISP Hosts before the criminals sent out this email.

    X-SID-PRA: NatWest Online Banking <acct.security@nwolb.com>
    Received: from [85.214.38.113] (account huda2591@batelco.com.bh HELO User) by cgpfe2.batelco.com.bh (CommuniGate Pro SMTP 5.2.9) with ESMTPA id 162876417; Mon, 05 Jan 2009 18:04:35 +0300

    Origin IP Address = 85.214.38.113 = Strato Rechenzentrum, Berlin, Cronon AG, Pascalstrasse 10, D-10587 Berlin, Germany

    From: "NatWest Online Banking"<acct.security@nwolb.com>
    Subject: Important Security Notice From NatWest
    Date: Mon, 5 Jan 2009 15:04:27 -0000
    Bcc:
    Return-Path: acct.security@nwolb.com


    Dear Customer,

    We are currently updating our online banking services, and due to this
    upgrade we sincerely call your attention to follow below link and reconfirm
    your online account details. Failure to confirm the online banking details
    will suspend you from accessing your account online.

    Due to this, you are requested to follow the provided steps and confirm
    your Online Banking details for the safety of your Accounts.

    Click Here The link to the Phishing Site had been found and deleted by the ISP hosts before this email was sent by the criminals.

    We use the latest security SSL measures to ensure that your online
    banking experience is safe and secure. The administration asks you to
    accept our apologies for the inconvenience caused and expresses
    gratitude for cooperation.


    Thanks for your co-operation,
    NatWest Online banking Security
     

Share This Page