Unusual sign-on activity says phishing email

Unusual sign-on activity says phishing email

“Account Unusual Sign-on Activity” is the subject line for the latest phishing email hitting our email filters. This one is supposedly from the ANZ banking group. As we shall see, it’s not quite there technically, in terms of phishing emails. It is definitely a phishing email and can be deleted.

Figure A shows a sample of the email. As we mentioned previously, the subject line of the email reads “Account Unusual Sign-on Activity”. The sender of the email is listed as “ANZ”.  As a note, all of the emails stopped have the same details. The email begins with “Dear Valued Customer”. There is an authentic looking ANZ logo at the top of the email. One link is contained in the body of the email. The email signs off with “ANZ Internet Banking Support Team”. Information about the ANZ (including it’s Australian Business Number) is located at the foot of the email.

MailShark Unusual sign-on activity says phishing email
Figure A – Click to Enlarge

The reason for the email is a possible security breach. The email states that “suspicious” activity has been detected. The email lists an IP address. This IP address we have left in the email, rather than blacking it out. You’ll understand why shortly (if you don’t understand already). All the emails we have stopped so far list the same IP address. The email goes on to state that access to the user’s account has been temporarily blocked until the user’s identity is verified. A link is provided to enable the user to verify their account. The text of the link is “Please click here to verify your account”.

This email is, of course, bogus. There are a few signs, which we will run through. For one, the email is not personalised. Banks will always address you using the name an account is held under. Another sign that the email is false is the link in the email. Mousing over it shows that it does not link back to the ANZ site. Instead it leads to a fake ANZ site, designed to steal the user’s banking login details.

But the two big signs that this is a fake email are the IP address, and the spoofed email address. For those that may be unfamiliar with IP addressing, the final two numbers (434 and 987) are outside the range of IP address numbering. IP addresses range from 0-255. These two numbers are most definitely outside the range; they are not valid IP addresses. The other sign is the spoofed email address. The email address says it is from ANZ, but the email address spoofed is actually a National Australia Bank address.

This email may look realistic, but it is a phishing email, and can be deleted.

Scott Reeves
MailShark
Free anti-spam service
Free email filter service

Share This Post

Post Comment