By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here. - Internet Anti-Fraud Center - now open!

 Phishing -!ut/p/c0/04_SB8K8xL

View next topic
View previous topic
Post new topicReply to topic
Author Message
Master of Master Baiters

Joined: 25 Sep 2008
Posts: 785

PostPosted: Mon Dec 15, 2008 8:25 pm Reply with quoteBack to top

I got the following e-mail appearing to be cimb bank.

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtTQ0w9Mg==
X-Message-Status: n:0
X-SID-PRA: Cimb Bank <[email protected]>
X-Message-Info: JGTYoYF78jFoFIPhvciEhGVi79ryW3S4dN2lVljGOP2jEAm6CMzWDb8brjL5tDpDCdXNmea7+Z0/8qfsX9qcujyxx7SrmDJC
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.2668);
Sun, 14 Dec 2008 23:59:52 -0800
Received: from nobody by with local (Exim 4.69)
(envelope-from <[email protected]>)
id 1LC8Mj-0007xa-EQ
for; Mon, 15 Dec 2008 15:59:45 +0800
Subject: URGENT : Your account has been locked!
X-PHP-Script: for
From: Cimb Bank <[email protected]>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <[email protected]>
Date: Mon, 15 Dec 2008 15:59:45 +0800
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [99 32002] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source-Args: /usr/local/apache/bin/httpd -DSSL
Return-Path: [email protected]
X-OriginalArrivalTime: 15 Dec 2008 07:59:53.0574 (UTC) FILETIME=[1CF03860:01C95E8B]

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
<html xmlns="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>

<body link="#CC3300" vlink="#CC3300" alink="#CC3300"><font face="Verdana, Geneva, sans-serif" size="-1">
<p><strong><font color="#CC0000">Dear CIMB Bank customer,</font></strong><br />
<p>We are hereby notifying you that we've recently suffered a DDos-Attack on one of our's Internet Banking server. For security reasons you must complete the next steps to verify the integrity of your CIMBClicks account. If you fail to complete the verification in the next 24 hours your account will be suspended.</p>
<p>Here's how to get started:</p>
<p><strong>1. </strong>Log in to <strong>CIMBClicks</strong> online account <strong><a href="!ut/p/c0/04_SB8K8xLLM9MSSzPy8xBz9QJ_89Mw8_YJ0RUUAk9OZqw!!/">(click here)</a></strong>.</p>
<p><strong>2. </strong>You must request for <strong>TAC</strong> online via CIMBClicks - your TAC will be sent via SMS to the mobile phone number you registered at the ATM. <br />
( you can find the "<strong>request TAC</strong>" button in the left menu of your account )</p>
<p><strong>3.</strong> Logout from your account and close the browser.</p>
<p><strong>4.</strong> When you have received the <strong>TAC (Transaction Authorization Code)</strong> on your mobile phone, <strong>Log in to our secured verification server</strong> and submit the requested information(Account user ID, password and TAC).<a href=""><strong>CLICK HERE</strong> to go on our secured server.</a></p>
<p><strong>5.</strong> Please allow 48 hours for processing.<br />
<p><font color="#666666">Please comply and thanks for understanding.<br />
© 2008 CIMB Bank</font></p>
<p> </p>
<p><font color="#666666" size="1">Note: Please do not reply to this email. <br />
This mailbox is not monitored and you will not receive a response.</font></p>

I do not understand this. It looks like the real bank, but I am sure that this link sent to my catcher account is bogus.

Real site:

Fake site:[url]!ut/p/c0/04_SB8K8xLLM9MSSzPy8xBz9QJ_89Mw8_YJ0RUUAk9OZqw!!/[/url]



a [Domain Name]
b [MYNIC Registration No.] D1A068079
c [Record Created] 22-AUG-2006
d [Record Expired] 22-AUG-2009
e [Record Last Modified] 07-AUG-2008

The site was created 3 years ago.

Also, CIMB bank is listed in Old Coaster's List in Malaysia.

38 Fake Checks / Money Orders worth $393,970.79 USD

Safari Prince otubor Kwabena - Accra, Ghana to Abidjan, Cote d'Ivoire
SafariSafari Barr. Kofi Williams Lome, Togo to Accra, Ghana Safari (Wimped) Lome, Togo to Lagos, Nigeria
Safari Mohammad Tofiki Accra, Ghana to Lagos, Nigeria

Nigeria x15 Ghana x4 Malaysia X3 United Kingdom x54 United States x6 United Nations x2 Canada Spain x3 Ireland Japan Liberian Flag China Thailand x3 Togo Ivory Coast Switzerland
pyramid x3 Closed lad accounts x90
View user's profileSend private message
Baiting Guru

Joined: 10 Sep 2006
Posts: 5496
Location: Yeah who can tell me where I am?

PostPosted: Mon Dec 15, 2008 8:57 pm Reply with quoteBack to top

IP Information for
IP Location: Malaysia Malaysia Vads Berhad Internet Service Provider Kuala Lumpur Malaysia
IP Address: [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
SSL Cert: expires in 261 days.
Blacklist Status: Clear

Network Whois record

Queried with ""...

% [ node-2]
% Whois data copyright terms

inetnum: -
netname: VPIS
descr: Vads Berhad, Internet Service Provider, Kuala Lumpur, Malaysia
country: MY
admin-c: BT162-AP
tech-c: BT162-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-VADS
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [email protected] 20060405
source: APNIC

person: Boon Hock Tei
nic-hdl: BT162-AP
e-mail: [email protected]
address: 1st Floor, AHP Building
address: Jalan Tun Mohd Fuad 3
address: Taman Tun Dr Ismail
address: 60000 Kuala Lumpur
country: MY
phone: +6-03-7712-8888
fax-no: +603-77282584
changed: [email protected] 20060117
source: APNIC

I don't do bling, I just do lads Evil or Very Mad
View user's profileSend private message
Elite Baiter

Joined: 11 Dec 2007
Posts: 1783
Location: Getting a nice "cofee", before I'm in a grave

PostPosted: Mon Dec 15, 2008 9:07 pm Reply with quoteBack to top

This looks like phishing.

Fake sites killed: United Nations x715

Star Mortar pony pony Closed lad accounts Cellphone x3 Star Purple Flower


Lion will soon consume you and you will have sex as you delight more on that with the dead
View user's profileSend private message
Akai Ryu
Chuck Norris

Joined: 11 Jun 2007
Posts: 1369

PostPosted: Mon Dec 15, 2008 9:08 pm Reply with quoteBack to top

It is phishing. I got the same exact message this morning.

There was a second link in the email which has already been killed.

Several hundred fake escrows (and others) deaded--no longer counting. --dead a fake site today.

No, Akai, you're a wonderful bitch. --Reaper
View user's profileSend private messageVisit poster's websiteSkype Name
Ima Baeder
Baiting Guru

Joined: 03 May 2007
Posts: 18314

PostPosted: Mon Dec 15, 2008 9:52 pm Reply with quoteBack to top

I've edited the subject line. Buccaneer and bill2, you may want to read this post to learn more about how to tell the difference between a fake site and phishing:

348 Fake Sites killed United StatesUnited KingdomUnited NationsMaltaNigeriaGhanaBeninGermanySouth AfricaRussiaTogoMalaysiaEuropean UnionJapanIvory CoastSpainFranceSwitzerlandChinaCanadaItalyThailand

Star Mugu Reseller Mortar Closed lad accounts x 100 Sand Timer 2 Years Pretty Rose Mc Fry Mc Fry Nurse Nastys Audi TT Goat Flying Monkey Easter Egg 2011
View user's profileSend private message
Display posts from previous:      
Post new topicReply to topic

 Jump to:   

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

** Find out information about your IP address **

All Content © 2003 -
Powered by phpBB © 2001, 2002 phpBB Group :S5: FI Theme :: All times are GMT