Saturday, September 6, 2008

KFH Scam Sites

I was checking my ancient Hotmail (Windows Live) account and found an email in the "junk folder" from Kuwait Finance House (KFH) asking me to update my information. Well, the thing is that I'm not a KFH customer to begin with!

Here's a screenshot of how the email looked:

The registration link points at a scam website:
A quick whois shows that the site is not related to the legitimate KFH:

Legitimate KFH records:
   Administrative Contact, Technical Contact:
Finance House, Kuwait ebusiness@KFH.COM
Kuwait Finance House
Kuwait Finance House -Almorgab
Almorgab KW 24989
+965 2439211 fax: +965-2448107

Record expires on 07-Mar-2010.
Record created on 06-Mar-1996.
Database last updated on 6-Sep-2008 10:54:56 EDT.

Domain servers in listed order:


Scam KFH site:
Domain name:

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
Bellevue, WA 98007

These are the email headers:
X-Message-Delivery: Vj0zLjQuMDt1cz0wO2w9MDthPTA=
X-Message-Status: n:0
X-Message-Info: bKPJ5fID7nvr4q44yl8SAb7jxAnprY7AZ6DqJRTR/ubhk5PinpoWw0lC+PS7sSN+C7H+SA5wb6lYG+N+qpiX3w==
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.2668);
Fri, 5 Sep 2008 21:30:05 -0700
Received: from User ([]) by with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 5 Sep 2008 17:19:25 -0400
Subject: Update Your Records Please
Date: Fri, 5 Sep 2008 17:19:25 -0400
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-OriginalArrivalTime: 05 Sep 2008 21:19:25.0567 (UTC) FILETIME=[12C0B0F0:01C90F9D]

Firefox users already get a warning that this site is a scam site:

Also, if you change the link to provoke an incorrect link, you get a crap page like this:

I'm surprised they're targeting Arabs now, after seeing the eBay and PayPal scam emails.

If you're an admin for an email server, you can block the IP of the sender as shown in the headers, or if you wanna pick it up higher, deny the whole subnet that the host has reserved.

No comments: