So, some scammers in Shinjuku (part of Tokyo) have been sending phishing mail via a server in the US, but they can be traced quite obviously by the “hidden” information in the message headers and the attached HTML file. A delicious bonus: the text encoding setting the scammer(s) used, even though they sent Japanese text, was “gb3212”, which is the the one used for mainland Chinese ( ).
Enjoy!
Note: My - admittedly nerdy - mail software does not render HTML mail but shows only text and delivers the HTML in an attached file. Other more convenient (= dangerous) mail software like Outlook Express directly shows the HMTL content on screen.
received mail:
Note:
recipient mail address replaced with XXXXXXXXXX;
recipient mail server name changed to generic name;
< replaced with { and > replaced with } to render the code ineffective
From: 三菱東京UFJ銀行 {email@bk.mufg.jp}
To: XXXXXXXXXX
Subject: 本人認証サービス
Date: Tue, 21 Oct 2014 01:10:20 +0800
Content-Type: text/html; charset=gb2312
Return-path: {email@bk.mufg.jp}
Envelope-to: XXXXXXXXXX
Delivery-date: Tue, 21 Oct 2014 01:10:40 +0800
Received: from [107.167.79.146] (port=2515 helo=bk.mufg.jp)
by mail.system.net with esmtp (Exim 4.82)
(envelope-from {email@bk.mufg.jp})
id 1XgGTf-0002pe-AS
for XXXXXXXXXX; Tue, 21 Oct 2014 01:10:39 +0800
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-Html: 受信HTML\141021_00\index.htm
こんにちは!
2014年「三菱東京UFJ銀行」のシステムが安全性の更新がされたため、お客様はアカウントが凍結?休眠されないように、直ちにアカウントをご認証ください。
以下のページより登録を続けてください。
entry11.bk.mufg.jp/ibg/dfw/APLI … =AA000_001
――Copyright(C)2014 The Bank of Tokyo-Mitsubishi UFJ,Ltd.All rights reserved――
mail server:
nslookup:
146.79.167.107.in-addr.arpa domain name pointer cloud2.us.10mvps.com.
traceroute:
1 [AS4685] hirnij31.asahi-net.or.jp (124.155.65.228) 2.508 ms 2.723 ms 1.658 ms
2 [AS4685] hirnirb-ge0.asahi-net.or.jp (124.155.65.254) 2.642 ms 2.903 ms 2.670 ms
3 [AS4685] tkybi5-v9.asahi-net.or.jp (124.155.64.1) 15.667 ms 15.933 ms 15.629 ms
4 [AS4685] kddni3.asahi-net.or.jp (202.224.32.56) 16.641 ms 16.804 ms 16.685 ms
5 [AS2516] 125.29.26.105 (125.29.26.105) 16.597 ms 16.573 ms 16.688 ms
6 [AS2516] otejbb205.int-gw.kddi.ne.jp (118.155.197.1) 78.535 ms
[AS2516] otejbb206.int-gw.kddi.ne.jp (118.155.197.2) 36.583 ms
[AS2516] otejbb205.int-gw.kddi.ne.jp (118.155.197.129) 16.665 ms
7 [AS2516] lajbb002.int-gw.kddi.ne.jp (203.181.100.62) 117.294 ms
[AS2516] lajbb001.int-gw.kddi.ne.jp (203.181.100.18) 116.439 ms
[AS2516] lajbb001.int-gw.kddi.ne.jp (203.181.100.14) 114.847 ms
8 [AS2516] tr-la7.kddnet.ad.jp (59.128.2.158) 115.332 ms 115.710 ms
[AS2516] tr-la7.int-gw.kddi.ne.jp (59.128.2.210) 114.595 ms
9 [AS6939] v216.core1.lax2.he.net (65.19.143.9) 116.527 ms 116.273 ms 114.555 ms
10 [AS46841] 10ge2-3.core1.phx2.he.net (184.105.222.85) 126.548 ms 127.382 ms 127.521 ms
11 [AS6939] 66.160.146.123 (66.160.146.123) 141.519 ms 131.833 ms 130.593 ms
12 * * *
nslookup:
bk.mufg.jp has address 203.178.124.177
traceroute:
1 [AS4685] hirnij31.asahi-net.or.jp (124.155.65.228) 2.677 ms 1.756 ms 2.648 ms
2 [AS4685] hirnirb-ge0.asahi-net.or.jp (124.155.65.254) 4.598 ms 2.957 ms 2.625 ms
3 [AS4685] tkybi5-v9.asahi-net.or.jp (124.155.64.1) 16.621 ms 15.956 ms 15.619 ms
4 [AS4685] kddni2.asahi-net.or.jp (202.224.32.55) 24.688 ms 16.958 ms 16.615 ms
5 [AS4685] tkyni92.asahi-net.or.jp (202.224.32.92) 16.615 ms 15.968 ms 20.596 ms
6 [AS7521] 210.173.176.46 (210.173.176.46) 16.700 ms 16.929 ms 17.631 ms
7 [AS4713] 122.28.104.169 (122.28.104.169) 16.630 ms 16.885 ms
[AS4713] 210.254.187.41 (210.254.187.41) 16.678 ms
8 [AS4713] 60.37.27.168 (60.37.27.168) 101.437 ms
[AS4713] 60.37.27.169 (60.37.27.169) 16.260 ms
[AS4713] 60.37.27.168 (60.37.27.168) 17.033 ms
9 * * [AS4713] 153.146.171.38 (153.146.171.38) 21.848 ms
10 [AS4713] 221.184.29.190 (221.184.29.190) 19.804 ms 19.472 ms 19.652 ms
11 [AS4680] 202.228.3.73 (202.228.3.73) 19.642 ms 101.156 ms 19.646 ms
12 * * *
========================================
attached HTML file:
Note:
< replaced with { and > replaced with }, to render the code ineffective
{!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”}
{html}{head}
{meta content=“text/html; charset=gb2312” http-equiv=Content-Type}
{/head}
{body}
{p}こんにちは!{/p}
{p}2014年「三菱東京UFJ銀行」のシステムが安全性の更新がされたため、お客様はアカウントが凍結?休眠されないように、直ちにアカウントをご認証ください。{/p}
{p}以下のページより登録を続けてください。{/p}
{p}{a
href=“http://bk.mufg.jp.frn.cn.com/ibg/dfw/APLIN/loginib/login.htm?_TRANID=AA000_001”}三菱UFJダイレクト
{p}{br}――Copyright(C)2014 The Bank of Tokyo-Mitsubishi UFJ,Ltd.All rights
reserved――{/p}
{p}{/p}{/body}{/html}
“Hidden” URL in HTML file:
bk.mufg.jp.frn.cn.com/ibg/dfw/AP … /login.htm
nslookup:
bk.mufg.jp.frn.cn.com has address 126.72.58.76
traceroute:
1 [AS4685] hirnij31.asahi-net.or.jp (124.155.65.228) 2.658 ms 2.729 ms 2.661 ms
2 [AS4685] hirnirb-ge0.asahi-net.or.jp (124.155.65.254) 3.638 ms 2.950 ms 2.664 ms
3 [AS4685] tkybi5-v9.asahi-net.or.jp (124.155.64.1) 15.664 ms 15.924 ms 15.671 ms
4 [AS4685] tkyni92.asahi-net.or.jp (202.224.32.92) 16.647 ms 24.646 ms 24.650 ms
5 [AS4685] ebgp-sb2.asahi-net.or.jp (202.224.35.109) 20.661 ms 18.880 ms 19.662 ms
6 * * *
7 [AS17676] softbank221111178246.bbtec.net (221.111.178.246) 17.759 ms 17.429 ms 17.658 ms
8 [AS17676] softbank221110221034.bbtec.net (221.110.221.34) 17.651 ms 17.221 ms 17.666 ms
9 * * *
nslookup:
76.58.72.126.in-addr.arpa domain name pointer softbank126072058076.bbtec.net.
traceroute:
1 [AS4685] hirnij31.asahi-net.or.jp (124.155.65.228) 2.585 ms 2.671 ms 2.660 ms
2 [AS4685] hirnirb-ge0.asahi-net.or.jp (124.155.65.254) 2.651 ms 2.921 ms 2.666 ms
3 [AS4685] tkybi5-v9.asahi-net.or.jp (124.155.64.1) 15.667 ms 15.950 ms 15.648 ms
4 [AS4685] tkyni92.asahi-net.or.jp (202.224.32.92) 26.636 ms 24.836 ms 21.647 ms
5 [AS4685] ebgp-sb2.asahi-net.or.jp (202.224.35.109) 19.568 ms 17.921 ms 19.645 ms
6 * * *
7 [AS17676] softbank221111178246.bbtec.net (221.111.178.246) 17.779 ms 17.421 ms 18.004 ms
8 [AS17676] softbank221110221034.bbtec.net (221.110.221.34) 17.556 ms 17.914 ms 17.653 ms
9 * * *
以上