Saturday, September 6, 2008

KFH Scam Sites

I was checking my ancient Hotmail (Windows Live) account and found an email in the "junk folder" from Kuwait Finance House (KFH) asking me to update my information. Well, the thing is that I'm not a KFH customer to begin with!

Here's a screenshot of how the email looked:


The registration link points at a scam website: kffhonline.com
A quick whois shows that the site is not related to the legitimate KFH:

Legitimate KFH records:
   Administrative Contact, Technical Contact:
Finance House, Kuwait ebusiness@KFH.COM
Kuwait Finance House
Kuwait Finance House -Almorgab
Almorgab KW 24989
KW
+965 2439211 fax: +965-2448107


Record expires on 07-Mar-2010.
Record created on 06-Mar-1996.
Database last updated on 6-Sep-2008 10:54:56 EDT.

Domain servers in listed order:

DNS.KFH.COM 168.187.220.2
DNS2.KFH.COM 195.39.157.3


Scam KFH site:
Domain name: kffhonline.com

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (rhbxhmps@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O kffhonline.com
Bellevue, WA 98007
US


These are the email headers:
X-Message-Delivery: Vj0zLjQuMDt1cz0wO2w9MDthPTA=
X-Message-Status: n:0
X-SID-PRA: KFH ONLINE
X-Message-Info: bKPJ5fID7nvr4q44yl8SAb7jxAnprY7AZ6DqJRTR/ubhk5PinpoWw0lC+PS7sSN+C7H+SA5wb6lYG+N+qpiX3w==
Received: from metrostone.net ([64.16.167.205]) by bay0-mc3-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Fri, 5 Sep 2008 21:30:05 -0700
Received: from User ([24.74.153.158]) by metrostone.net with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 5 Sep 2008 17:19:25 -0400
From: "KFH ONLINE"
Subject: Update Your Records Please
Date: Fri, 5 Sep 2008 17:19:25 -0400
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: kfh@online.kfh.com
Message-ID:
X-OriginalArrivalTime: 05 Sep 2008 21:19:25.0567 (UTC) FILETIME=[12C0B0F0:01C90F9D]


Firefox users already get a warning that this site is a scam site:


Also, if you change the link to provoke an incorrect link, you get a crap page like this:



I'm surprised they're targeting Arabs now, after seeing the eBay and PayPal scam emails.

If you're an admin for an email server, you can block the IP of the sender as shown in the headers, or if you wanna pick it up higher, deny the whole subnet that the host has reserved.

No comments: