Tuesday, March 2, 2010

UNCC Korean Wachovia Spam Analysis

The University of North Charlotte at Charlotte has issued the following warning to its students:
Subject: Wachovia Phishing Email Targeting UNC Charlotte Users
On March 1, 2010, a large number of UNC Charlotte email
accounts received messages allegedly from Wachovia with the subject:
“An Important Secure Message.”
I took one of the Emails I captured and I thought I would post it here in order to help shed light on exactly who might behind the scam.

  1. First off, Google correctly picked up this Email as spam... but if this Email hadn't been sent to google via POP3 (setup via the add accounts in google) the user would have been out of luck.

  2. The link to Wachovia has an addition to it's address of "as" in hxxp://onlineservices5.wachovia.sa.com/auth/AuthService.htm
    nwtools.com shows that the domain is registered to:

    Victoria Pope (H882534) dwq33@yahoo.com
    Victoria Pope
    29 Beech St. Apt 5
    Newmarket NH 03857
    US (United States)
    Tel: 603-303-9089

    However the ip ( shows a more believable location of Seoul, South Korea

  3. The date on the bottom of the Wachovia Email is from 2007, most places have their copyrights, patents, trademarks, etc up to date... at least in a few years. So I would assume that this script was from a old version of the Wachovia site or they created it from some older scripting templets.

  4. The Email shows that hackers are getting better at using templets to fake out websites as seen in the picture below. Free proxies had to be used to access the site because UNCC had blacklisted the subdomain of sa.com:

(First it asks for your bank login)

(Next it asks for social, debit card, expiration date,
CCV# and ATM pin, and Email)
(Chances are they have an account with
Wachovia as this is a generic window shown after first account setup)

(Final step redirects to official Wachovia site)

(Shows Top Level Domain,
SA.com seems to be a custom google search)

Here is a transcript of the complete Wachovia March 1st Scam Email:

Mon, 1 Mar 2010 16:06:57 -0500
Received: from uncc.edu ([152.15.xx.xx]) by exfe06.its.uncc.edu with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 1 Mar 2010 16:06:57 -0500
Received: from User (copland.udel.edu [])
by md4.nss.udel.edu (MOS 3.10.2-GA)
with SMTP id IOY25036;
Mon, 1 Mar 2010 16:02:38 -0500 (EST)
Message-Id: <201003012102.ioy25036@udel.edu>
From: "Wachovia Message Center"
Subject: An important Secure Message!
Date: Mon, 1 Mar 2010 16:01:53 -0500
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-esp: ESP<2>=
TRU_marketing_spam: <0>
TRU_spam2: <0>
TRU_money_spam: <0>
TRU_scam_spam: <0>
TRU_stock_spam: <0>
TRU_adult_spam: <0>
TRU_embedded_image_spam: <0>
TRU_ru_spamsubj: <0>
TRU_medical_spam: <0>
TRU_urllinks: <0>
TRU_misc_spam: <0>
TRU_watch_spam: <0>
TRU_legal_spam: <0>
URL Real-Time Signatures: <0>
TRU_lotto_spam: <0>
TRU_phish_spam: <0>
TRU_playsites: <0>
TRU_spam1: <0>
TRU_html_image_spam: <0>
TRU_profanity_spam: <0>
TRU_freehosting: <0>
Return-Path: wachoviamcalerts.wachovia@udel.edu
X-OriginalArrivalTime: 01 Mar 2010 21:06:57.0435 (UTC) FILETIME=[20B94EB0:01CAB983]
This is a courtesy reminder that your Online Account needs to be verified:
In order to receive uninterrupted services, please verify your information immediately.
To verify your account, please click the link below, log in and follow the provided
Regards, Wachovia.
Please do not "Reply" to this message.
Contact Us
(800) 950-2296, 24 hours a day, seven days a week.
(c)2007 Wachovia Corporation, 301 South College Street, Suite 4000, One Wachovia Center, Charlotte, NC 28288-0013. All Rights Reserved.
Wachovia Bank, N.A. Member FDIC.

No comments: