Neteller: suspicious email

[Mouche12]

Today I received an email from "Neteller", as shown below, which asked me to update my account info, including account no. and security ID.

Talked to live chat about this, and they advised me to send it to phishing@neteller.com for further investigation.


QUOTE Dear Neteller Customers,

Our Technical Service department has recently updated our online services, and due to this upgrade we sincerely call your attention to follow below link and reconfirm your online account details. Failure to confirm your NETELLER account details will permanently suspend you from accessing your account online.

http://www.neteller.com/update/index.jsp?action=update

We use the latest security measures to ensure that your NETELLER account is safe and secure. The administration asks you to accept our apologies for the inconvenience caused and expresses gratitude for cooperation.

Thanks for choosing NETELLER

NETELLER Customer Service
support@neteller.com
--------------------------------------------------
This is an automatic message. Please do not reply.
UNQUOTE

[vinylweatherman]

Today I received an email from "Neteller", as shown below, which asked me to update my account info, including account no. and security ID.

Talked to live chat about this, and they advised me to send it to phishing@neteller.com for further investigation.


QUOTE Dear Neteller Customers,

Our Technical Service department has recently updated our online services, and due to this upgrade we sincerely call your attention to follow below link and reconfirm your online account details. Failure to confirm your NETELLER account details will permanently suspend you from accessing your account online.

http://www.neteller.com/update/index.jsp?action=update

We use the latest security measures to ensure that your NETELLER account is safe and secure. The administration asks you to accept our apologies for the inconvenience caused and expresses gratitude for cooperation.

Thanks for choosing NETELLER

NETELLER Customer Service
support@neteller.com
--------------------------------------------------
This is an automatic message. Please do not reply.
UNQUOTE

It HAS to be phishing, but that link is GENUINE - it does not try anything "uncool". It takes you to the main login page, and if this IS a bogus page, the FIRST thing someone would try to do is log in, and this would give the criminals all your login info, from where they could quickly empty your account with a Peer to Peer transfer.

Unfortunately, Neteller are in the habit of sending GENUINE emails just like this, except they are "Dear valued customer" or similar.
There would also be a signature, but one that ANY criminal could copy into a phishing email.
The GENUINE Neteller emails like this all relate to the promotions though, and contain a link for you to register your interest. I have NEVER seen an "update your details" style email from them.

I have NOT received this, and if this were a GENUINE email, I would have done.

Whatever any email from Neteller says, ALWAYS navigate directly to the site, rather than follow any links. This will ensure you don't fall for this.

I have been warning Neteller about their habit of sending GENUINE emails to customers in "phishing format", such as "click here to register for December cashback". They have ignored this, and now the phishers have cottoned on to the fact that Neteller customers are used to the "click here to..." format being genuine, making it easier to scam Neteller customers like this.

[Roanan]

The email may LOOK genine, but if you pay attention, and hover your mouse over the link provided, you will see that is actually directs you to:

http://www.neteller-online.com/account/index.htm?action=update

IP address: 94.75.233.1
Host name: www.neteller-online.com

Alias:
www.neteller-online.com
94.75.233.1 is from Netherlands(NL) in region Western Europe


TraceRoute to 94.75.233.1 [www.neteller-online.com]
Hop (ms) (ms) (ms) IP Address Host name
1 153 224 48 72.249.128.105 -
2 58 18 26 206.123.64.82 -
3 154 236 217 216.52.189.9 border4.te4-4.colo4dallas-5.ext1.dal.pnap.net
4 10 9 8 216.52.191.38 core1.tge5-1-bbnet1.ext1.dal.pnap.net
5 6 8 14 208.51.41.57 ae0.411.ar1.dal2.gblx.net
6 7 6 7 64.212.107.10 telia-1.ar4.dal2.gblx.net
7 29 38 33 80.91.248.214 atl-bb1-link.telia.net
8 54 45 46 80.91.252.217 ash-bb1-link.telia.net
9 123 124 119 213.248.65.97 ldn-bb1-link.telia.net
10 130 129 130 80.91.253.19 adm-bb2-link.telia.net
11 142 135 136 80.91.253.167 adm-b2-link.telia.net
12 131 129 132 80.91.248.246 adm-evo-i2-link.telia.net
13 139 143 148 213.248.88.198 leaseweb-ic-126777-adm-evo.c.telia.net
14 137 141 154 85.17.100.206 te9-2.sr7.evo.leaseweb.net
15 137 131 131 94.75.233.1 afm018.onedream.gr

Trace complete


Retrieving DNS records for www.neteller-online.com...

DNS servers
ns1.neteller-online.com [94.75.233.1]
ns2.neteller-online.com [94.75.233.1]

Answer records
www.neteller-online.com A 94.75.233.1 14400s

Authority records
neteller-online.com NS ns2.RSRF001.local 14400s
neteller-online.com NS ns1.RSRF001.local 14400s

Additional records


Whois query for neteller-online.com...

Query error: Timed out

Network IP address lookup:


Whois query for 94.75.233.1...

Results returned from whois.arin.net:


OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 94.0.0.0 - 94.255.255.255
CIDR: 94.0.0.0/8
NetName: 94-RIPE
NetHandle: NET-94-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2007-07-30
Updated: 2009-05-18

# ARIN WHOIS database, last updated 2009-12-14 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.


Results returned from whois.ripe.net:

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '94.75.233.0 - 94.75.233.255'

inetnum: 94.75.233.0 - 94.75.233.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to "abuse@leaseweb.com" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: assignment LEASEWEB 20080723
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: LEASEWEB-MNT
changed: ripe@leaseweb.com 20080725
source: RIPE

person: RIP Mean
address: P.O. Box 93054
address: 1090BB AMSTERDAM
address: Netherlands
phone: +31 20 3162880
fax-no: +31 20 3162890
abuse-mailbox: abuse@leaseweb.com
e-mail: ripe@leaseweb.com
nic-hdl: LSW1-RIPE
notify: ripe@leaseweb.com
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20050607
changed: ripe@ocom.com 20060215
changed: ripe@ocom.com 20060608
changed: ripe@ocom.com 20080603
source: RIPE

% Information related to '94.75.192.0/18AS16265'

route: 94.75.192.0/18
descr: LEASEWEB
origin: AS16265
remarks: LeaseWeb
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20080725
source: RIPE



and the email itself originates from somewhere else:

Received: from DSVR011490 (server88-208-245-44.live-servers.net [88.208.245.44])
(Authenticated sender: mwnews02@bouncemanager.it)
by mx1.bouncemanager.it (Postfix) with ESMTPA id B86FA2B22BF

IP address: 88.208.245.44
Host name: server88-208-245-44.live-servers.net
88.208.245.44 is from United Kingdom(UK) in region Western Europe


TraceRoute to 88.208.245.44 [server88-208-245-44.live-servers.net]
Hop (ms) (ms) (ms) IP Address Host name
1 19 26 54 72.249.128.105 -
2 18 39 40 8.9.232.73 xe-5-3-0.edge3.dallas1.level3.net
3 33 30 57 4.69.145.244 ae-93-90.ebr3.dallas1.level3.net
4 39 36 35 4.69.134.22 ae-7.ebr3.atlanta2.level3.net
5 63 60 60 4.69.132.86 ae-2.ebr1.washington1.level3.net
6 44 54 51 4.69.134.142 ae-91-91.csw4.washington1.level3.net
7 48 45 41 4.69.134.157 ae-92-92.ebr2.washington1.level3.net
8 138 133 129 4.69.137.57 ae-43-43.ebr2.frankfurt1.level3.net
9 131 139 130 4.69.140.18 ae-62-62.csw1.frankfurt1.level3.net
10 128 129 131 4.68.23.12 ae-1-69.edge4.frankfurt1.level3.net
11 136 137 135 212.162.24.6 -
12 143 136 136 212.227.120.90 te-1-4.bb-c.act.fra.de.oneandone.net
13 137 137 135 212.227.120.129 te-1-1.bb-c.nkf.ams.nl.oneandone.net
14 145 137 139 212.227.120.134 te-1-2.bb-c.the.lon.gb.oneandone.net
15 185 203 196 88.208.255.61 -
16 144 141 134 88.208.255.14 pc1.hrt0.fhcon.fasthosts.net.uk
17 Timed out Timed out Timed out -
18 Timed out Timed out Timed out -
19 Timed out Timed out Timed out -
20 Timed out Timed out Timed out -

Trace aborted.

Retrieving DNS records for server88-208-245-44.live-servers.net...

DNS servers
ns1.live-servers.net [213.171.192.225]
ns2.live-servers.net [213.171.193.225]

Answer records
server88-208-245-44.live-servers.net A 88.208.245.44 86400s

Authority records

Additional records


Whois query for live-servers.net...

Results returned from whois.internic.net:


Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: LIVE-SERVERS.NET
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net
Name Server: NS1.LIVE-SERVERS.NET
Name Server: NS2.LIVE-SERVERS.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 06-sep-2007
Creation Date: 18-nov-2004
Expiration Date: 18-nov-2015

>>> Last update of whois database: Tue, 15 Dec 2009 15:19:41 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.


Results returned from whois.tucows.com:

IP Address: 67.222.132.194
Maximum Daily connection limit reached. Lookup refused.

Network IP address lookup:


Whois query for 88.208.245.44...

Results returned from whois.arin.net:


OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 88.0.0.0 - 88.255.255.255
CIDR: 88.0.0.0/8
NetName: 88-RIPE
NetHandle: NET-88-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2004-04-01
Updated: 2009-05-18

# ARIN WHOIS database, last updated 2009-12-14 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.


Results returned from whois.ripe.net:

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '88.208.245.0 - 88.208.245.254'

inetnum: 88.208.245.0 - 88.208.245.254
netname: FASTHOSTS-UK-NETWORK
descr: UK's largest web hosting company based in Gloucester
descr: England
country: GB
admin-c: MW8691-RIPE
tech-c: GD8691-RIPE
status: ASSIGNED PA
mnt-by: AS15418-MNT
changed: mark.wood@fasthosts.co.uk 20070920
remarks: report abuse to abuse@fasthosts.co.uk
remarks: All reports via other channels will be ignored.
remarks: INFRA-AW
source: RIPE

person: Mark Wood
address: Fasthosts Internet Limited
address: Suite 7, Discovery Court
address: 154 Southgate Street
address: Gloucester, GL1 2EX
phone: +44 1452 541251
fax-no: +44 1452 541633
nic-hdl: MW8691-RIPE
mnt-by: AS15418-MNT
changed: mnt@fasthosts.co.uk 20021128
source: RIPE

person: George Daly
address: Fasthosts Internet Limited
address: Discovery House
address: 154 Southgate Street
address: Gloucester, GL1 2EX
phone: +44 1452 541251
fax-no: +44 1452 541633
nic-hdl: GD8691-RIPE
changed: mark.wood@fasthosts.co.uk 20060712
mnt-by: AS15418-MNT
source: RIPE

% Information related to '88.208.192.0/18AS15418'

route: 88.208.192.0/18
descr: FasthostInternet Ltd
origin: AS15418
mnt-by: AS15418-MNT
changed: mnt@fasthosts.co.uk 20051104
source: RIPE

[maxd]

The email may LOOK genine, but if you pay attention, and hover your mouse over the link provided, you will see that is actually directs you to:

xhttp://www.neteller-online.com/account/index.htm?action=update ....

Good catch! The rest of it is a bit verbose but good work nevertheless.

[Roanan]

Good catch! The rest of it is a bit verbose but good work nevertheless.

It's not too hard to figure out when you receive the email three times in three separate email accounts and you live in a country that Neteller won't service

My advice is to click the link, and fill it out with false information.

If the scammers have to spend a lot of time trying to access a fake account, it slows them down a bit.

I also notice that this particular scam is originating from Europe, instead of China or Saudi Arabia (where they usually trace back to) so it is possible that the authorities can be alerted and might actually be able to get somewhere for once.

You can see by my trace results that the website is housed in The Netherlands, where YOU LIVE, so you actually have a chance of shutting them down yourself if you contact your local police's commercial crime division.