”Keep it safe, simple and fun!” with www.TheWiredLion.com Email Scam 20070804 ID: Genesis Web Design.co.uk Phishing emails from bad guys masquerading as banks and other financially active firms are a regular part of Internet life these days. In this investigation, we are looking at an email (below) that is supposedly from Hometown Bank. It is actually linking you to a web site in England that is acting as a server (a computer that delivers information and software to other computers linked by a network) for someone trying to commit identity theft. From: Hometown Bank <email@example.com > Date: Aug 3, 2007 7:33 AM Subject: About your online banking service. Dear Hometown Bank Cardholder, Your online banking service has expired. You must renew it immediately or your account will be closed. If you intend to use this service in the future, you must take action at once! To continue click here, login to your online banking and follow the steps. Thank you, Hometown Bank Online Center The From address is a legitimate link to Hometown Bank Coop. This indicates that the bad guys were intending a hit and run operation, doing their damage before Hometown Bank reacted to the ill use of their name. The bank even has a notice on their site stating they will never send you an email requesting you to verify your account information. The click here link would actually bring you to http://www.genesiswebdesign.co.ok/contact.php rather than to Hometown Bank. By the time we received and tried this link, the link was already disabled and all that came up was an “Under construction” type notice. This might have been done by the bad guys (to try and evade investigation) or the good guys might have squashed them (You will see information to follow showing that the “police were closing in”)! But a contact email address gave away a name, Phil. The first connection came though a community group web site called Caistor.Net. Caistor is an old but thriving community outside of Lincolnshire in the UK (see http://www.caistor.free-online.co.uk/). Genesis Web Design (.co.uk, not .net or .com which are different companies) was listed as the primary contact and web site designer for CATS, and amateur theatrical group. This seemed to be a solid lead until we found the web site address, http://www.genesiswebdesign.co.uk/cats, was not operating. ”Keep it safe, simple and fun!” with www.TheWiredLion.com We then started searching the web for anything to do with the Genesis website or any of the organizations or businesses it was associated with. The first tidbits we encountered told this was a known Phishing site. The Phishing Watchdog group CastleCops had two reports on their site about GenesisWebDesign.co.uk., http://www.castlecops.com/check196563previous.html, And a more complete report showing they had “terminated” the Phishing link (they call it Fried Phish) at http://www.castlecops.com/Nationwide_phish515683.html. Note the relation to PayPal. This apparently was a previous scheme. ”Keep it safe, simple and fun!” with www.TheWiredLion.com When attempting to enter another Genesis site, https://genesiswebdesign.co.uk:8443/, Internet Explorer Version 7 met us with a Security Certificate warning. This indicates that the site may be designed to fool you and/or intercept any information you put in. In fact, the security certificate for this site actually belongs to a different web site completely! We entered the site but did not find much useful information EXCEPT that Genesis was once again identified with potentially criminal activities. We went back to our CATS connection and found their web site very interesting. http://www.catstheatre.co.uk/contact_us.php gave us Phil’s last name, Cluff, and a contact address through a liason with a relative, Mike Cluff. ”Keep it safe, simple and fun!” with www.TheWiredLion.com We also found a number of apparently legitimate businesses that were designed by and “housed” on Genesis. http://www.adamspiano.co.uk/, a local piano tuner and repair shop in nearby Lincolnshire. A supplier of nails, screws, bolts and other quality fixings and fastenings at http://www.tripaconline.co.uk/index.php?page=home And a site specializing in “heavy metal” music band souvenirs, t-shirts, etc at http://www.dragonseyeuk.com/deuk/ which we noted had a link to PayPal. ”Keep it safe, simple and fun!” with www.TheWiredLion.com There was also a new customer site being constructed, http://www.hills- photography.co.uk/, and business listings for Genesis indicating a rather thriving web design firm, http://www.hotfroguk.co.uk/Companies/Genesis-Web-Design. About a month later, the “new and improved” GenesisWebDesign.co.uk site came on line. One of the most interesting “products listed was the hosting of sites, whether designed by GWD or not, as what are called sub-domains. This is vehicle the Phishing email uses to contact you. They create a web page that looks like one belonging to your bank, PayPal, or whomever and put a link to that page in the email. The boxes where you enter your account information are actually utilities on their page for “customer responses” or surveys. You enter your data and it goes right to them. ”Keep it safe, simple and fun!” with www.TheWiredLion.com I think it is time for Hometown Bank Coop to hear about Mr. Phil Cluff. WL Jay Keep it safe, simple and fun! PS: We are flattered when you tell your friends about the services of The Wired Lion! But PLEASE remember that our modest fees help us keep this effort alive. Resist the urge to photo these helpful articles and hand them out to your friends. Instead, please encourage them to Join Us with their own membership!