I want to “phish” Phishing-target bank customers Part.1

People receive a lot of e-mails in their mail boxes on a daily basis. Some of them are interesting and relevant to them, while others are not. Some aim to inform the recipient and others…well they simply want to harm the recipient, like for example the e-mail depicted in the image. Before diving into the analysis, it should be stated that all identifiable details (IP addresses, contact person details, phones, hacked sites, targeted bank etc) have been anonymized (eg. the targeted bank’s name is replaced with the fictitious Phishing-target bank) in order to prevent any unnecessary disclosure of information and to respect the real bank’s wish, who did not want its’ name to be mentioned as a target of a phishing campaign.

Received e-mail

Let’s take a look. Since I do not speak Danish, I ‘ll use Google translate service (https://translate.google.com/) to see what it says.

Wow it says that if I don’t download and complete the attached form by 21st June my credit card will be suspended!!!

From Phishing-target Bank Mon Jun 23 03:46:31 2014

Dear customer,
Nets have created a new method to protect the safety
the customer from fraudulent activity on credit cards.
For your protection IC, we invite you to register for free.

Note: If you take no action fronts June 21, 2014, we will
be forced to permanently suspend your card with your issuing bank.

You must download and complete the form to confirm your information.

Phishing-target Bank

Translated message

Translated message

Well, if I am a customer of Phishing-target bank, I am alarmed.

Is this an e-mail actually coming from Phishing-target Bank (http://www.phishing-targetbank.dk/)? Should I download and complete the form?

How can I be sure that this e-mail is not malicious?

Well, first of all who is the sender?

The e-mail has been sent from “Phishing-target Bank <creditcardsdepartment@phishing-targetbank.dk>”.   Is this a real Phishing-target bank e-mail? If it is, Google might know it….

At this point I search the sender’s e-mail address using Google…

Google search results for “creditcardsdepartment@phishing-targetbank.dk”

Google does not know this e-mail, but there is a Credit Cards department within the Phishing-target bank group (www.phishing-target.dk/credit%20cards%20department/home.html).

At this point I visit the credit cards department page…

Well, if the bank was real, I would see that the Phishing-target bank group has a credit cards department, which, among others, deals with suspending customers’ credit cards. But does the credit cards department have an e-mail? Could they inform a customer about his / her card? Would they do that? How can a customer find out? The most obvious and “safe” answer would be phone the bank and ask them about it…”Hello, I am your customer, did your credits card department send me an e-mail about suspending my card?”

At this point Phishing-target ‘s employee on the phone would be alarmed and tell the customer that their bank will never inform them by e-mail about suspending his / her card.

In such cases, the first step of the investigation is finding out where the e-mail actually came from. How do we do that? Well…we can examine the e-mail header.


From Phishing-target Bank Mon Jun 23 03:46:31 2014

X-Apparently-To: xxxxxxxxxxxx@yahoo.com via; Mon, 23 Jun 2014 10:46:36 +0000

Return-Path: <creditcardsdepartment@phishing-targetbank.dk>

Received-SPF: permerror (encountered permanent error during SPF processing of domain of phishing-target.dk)
































X-Originating-IP: [xx.xxx.xxx.170]

Authentication-Results: mta1252.mail.ne1.yahoo.com  from=phishing-targetbank.dk; domainkeys=neutral (no sig);  from=phishing-targetbank.dk; dkim=neutral (no sig)

Received: from  (EHLO xxxx.ru) (xx.xxx.xxx.170)

  by mta1252.mail.ne1.yahoo.com with SMTP; Mon, 23 Jun 2014 10:46:33 +0000

Received: from localhost ([] helo=User)

               by xxxx.ru with smtp (Exim 4.72)

               (envelope-from <creditcardsdepartment@phishing-targetbank.dk>)

               id 1Wz1lf-0005y5-6P; Mon, 23 Jun 2014 14:46:31 +0400

From: “Phishing-target Bank”<creditcardsdepartment@phishing-targetbank.dk>

Subject: Phishing-target : suspendere kreditkort

Date: Mon, 23 Jun 2014 03:46:31 -0700

MIME-Version: 1.0

Content-Type: multipart/mixed;


X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1081

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081

Content-Length: 4731

E-mail header

So, I am a customer of a Danish bank and I received an e-mail supposedly from them. I suppose I would expect the e-mail to originate from an IP address registered to Phishing-target bank. Does it?

The X-Originating-IP is the e-mail header field that can tell us the IP of the computer / person that sent the email. So what does the received e-mail tell us? Well it tells us that it came from IP address xx.xxx.xxx.170. Where is this address located? 

Using my favorite WHOis service (whois.domaintools.com) I see it is located in “Irkutsk, Russian Federation“.

IP Information for xx.xxx.xxx.170

IP Location
Russian Federation Irkutsk IspsystemCjsc
AS29xxx ISPSYSTEM-AS ISPsystem, cjsc,LU (registered Jun 23, 2003)
Whois Server
IP Address
Reverse IP
76 websites use this address.
inetnum:        xx.xxx.xxx.0 – xx.xxx.xxx.255
netname:        THEFIRST-NET
org:            ORG-FVDS1-RIPE
descr:          TheFirst-RU customers (WebDC Msk)
country:        RU
admin-c:        AB11xxx-RIPE
tech-c:         ST63xx-RIPE
status:         ASSIGNED PA
mnt-by:         ISPSYSTEM-MNT
mnt-by:         THEFIRST-MNT
source:         RIPE # Filtered

organisation:   ORG-FVDS1-RIPE
org-name:       CJSC THE FIRST
org-type:       OTHER
address:        CJSC The First, xxxxxxxx
address:        PoBoxxx, Irkutsk, xxxxxx
address:        Russian Federation
mnt-ref:        THEFIRST-MNT
mnt-by:         ISPSYSTEM-MNT
source:         RIPE # Filtered

person:         Contact Person 1
address:       xxxxxxxxxxx
address:        Irkutsk, xxxxxx, Russian Federation
phone:          +7 3952 xxxxxx
nic-hdl:        AB11xxx-RIPE
mnt-by:         ISPSYSTEM-MNT
source:         RIPE # Filtered

person:         Contact Person 2
address:        xxxxxxxxxxx
address:        Irkutsk, xxxxxx, Russian Federation
phone:          +7 3952 xxxxxx
nic-hdl:        ST63xx-RIPE
mnt-by:         ISPSYSTEM-MNT
source:         RIPE # Filtered

route:          xx.xxx.xxx.0/23
descr:          TheFirst-RU
origin:         AS29xxx
mnt-by:         THEFIRST-MNT
source:         RIPE # Filtered

IP WHOis information

If we want to analyze the e-mail header a little further we can use my favorite online e-mail tracer and track the course that the e-mail took before it reached our mailbox.

The contact information of the ISP for the above IP address is:

The mail appears to be originated from the computer with IP
address xx.xxx.xxx.170 (xxxx.ru).
   The contact information of the ISP for the above IP address is,

       +7 3952 xxxxxx
        Contact Person 2, Irkutsk, xxxxxx, Russian Federation

   The sender’s email address is creditcardsdepartment@phishing-targetbank.dk
   The message-id of the the mail is <>.
Path traced by the mail
Mon, 23 Jun 2014 03:46:31 -0700 


Mon, 23 Jun 2014 14:46:31 +0400
Mon, 23 Jun 2014 10:46:33 +0000 







Mon, 23 Jun 2014 14:46:31 +0400
Mon, 23 Jun 2014 10:46:33 +0000[xx.xxx.xxx.170]
Mon, 23 Jun 2014 14:46:31 +0400
Mon, 23 Jun 2014 03:46:31 -0700 

Details obtained from Regional Internet Registry
xxxxxxxx Irkutsk, xxxxxx, Russian Federation




xx.xxx.xxx.170/THEFIRST-NET% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘xx.xxx.xxx.0 – xx.xxx.xxx.255’

% Abuse contact for ‘xx.xxx.xxx.0 – xx.xxx.xxx.255’ is ‘abuse@ispsystem.com’

inetnum: xx.xxx.xxx.0 – xx.xxx.xxx.255
descr: TheFirst-RU customers (WebDCMsk)
country: RU
admin-c: AB11xxx-RIPE
tech-c: ST63xx-RIPE
source: RIPE # Filtered

organisation: ORG-FVDS1-RIPE
org-name: CJSC THE FIRST
org-type: OTHER
address: CJSC The First, xxxxxxxxxx
address: PoBoxxx, Irkutsk, xxxxxxx
address: Russian Federation
abuse-mailbox: abuse@abusehost.ru
source: RIPE # Filtered

person: Contact Person 1
address: xxxxxxxxxxx
address: Irkutsk, xxxxxx, Russian Federation
phone: +7 3952 xxxxxx
nic-hdl: AB11xxx-RIPE
source: RIPE # Filtered

person: Contact Person 2
address: xxxxxxxxxxx
address: Irkutsk, xxxxxx, Russian Federation
phone: +7 3952 xxxxxxx
nic-hdl: ST63xx-RIPE
source: RIPE # Filtered

% Information related to ‘xx.xxx.xxx.0/23AS29xxx’

route: xx.xxx.xxx.0/23
descr: TheFirst-RU
origin: AS29xxx
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.73.1 (DB-3)

E-mail header analysis

Concluding, I have received an e-mail from a Danish bank group (Phishing-target) that was sent from Russia.

Thus far, I have enough to not download the form and report this e-mail as phishing to any of the online Anti-phishing sites (http://www.phishtank.com/, http://www.antiphishing.org/, etc).

It is worth noting here that even if the e-mail originated from an IP address in Denmark that was registered to the Phishing-target bank group it is recommended that the recipient phones the bank in order to be certain that he / she is not being phished. Banks do not usually notify customers by e-mail about suspending credit cards, changing account credentials, etc.

Is there anything else this e-mail can tell us? Hmmm, we have checked the body, the header…Did we check the attachment? The mail asked the recipient to download a form, did it not?

In part 2 of the article we will see what the form can tell us….


This article is written for scientific purposes. It aims to:

  • educate simple users on how to identify phishing e-mails and what they should be careful of in order not to get phished and
  • educate more advanced users in phishers’ techniques and how these can be analyzed.

More Posts & Articles