Subject: | Verleng uw registratie van de Login App |
From: | "Van Lanschot" <berichtbox@ewdsqwa.nl> |
Date: | Fri, 19 Apr 2019 |
To: | info@yourdomain.tld |
Reply-To: | berichtbox@ewdsqwa.nl |
Geachte relatie,
Wij stellen u graag vroegtijdig op de hoogte van wijzigingen die plaats zullen vinden in Mijn van Lanschot of de Login App.
Binnenkort vervalt de toegang van een- of meerdere apparaten tot uw Login App. Om te voorkomen dat uw toegang tot de app wordt geweigerd kunt u de app bijwerken en de toegang voor het apparaat in kwestie verlengen.
U bent verplicht jaarlijks uw apparaat of toestel opnieuw te registreren of te verlengen in verband met onze veiligheidsstandaarden omtrent Mijn van Lanschot. Om uw registratie te verlengen heeft u uw digipas nodig. Maakt u nog gebruik van een webber? Vraag dan eerst een digipas aan. De Webber is vanaf 1 maart 2019 niet meer bruikbaar.
Alvast bedankt voor uw medewerking.
Met vriendelijke groet,
Van Lanschot
Scam alert! The E-mail above is a SCAM. It’s a Phishing scam (in Dutch), tying to get your bank-details by luring you to a fake bank website. The message is completely fake. The real Van Lanschot Bank did NOT send this. Be warned!
If you’ve received this by e-mail than mark it as SPAM (if possible) and/or DELETE it.
The link in this e-mail leads to a fake Van Lanschot Bank website (on url https://adqwsad.club/vanlanschot/), see screenshot below:
Yes they even included a captcha field which must be ticked off to continue submission! Or you’ll get the following (mostly empty) page:
After submitting your account details you will get the following screen with a spinning wheel which keeps spinning forever.
I’d expected I would have to give more details (passwords etc) but appearently they have enough with your username and digipas-number. It seems the website was (also?) designed to infect the visitor with some form of malware as it tries to push multiple files to the browser:
The ip-address hosting this website is located in Iran:
Domainname: adqwsad.club IP-address: 185.94.98.211 GeoIP Country Edition: IR, Iran, Islamic Republic of GeoIP City Edition, Rev 1: IR, N/A, N/A, N/A, N/A, 35.696098, 51.423100, 0, 0 GeoIP ASNum Edition: AS204213 Netmihan Communication Company Ltd
The sender address and sending domain is ‘ewdsqwa.nl’ which looks like a random domain name setup with DKIM to avoid being spotted as spam. It was hosted at Easyhost.be in Belgium. The target of this phishing mail spam seems to be mainly (Dutch) businesses:
Domainname: ewdsqwa.nl IP-address: 185.144.100.8 ewdsqwa.nl mail is handled by 50 mx.backup.mailprotect.be. ewdsqwa.nl mail is handled by 10 mx.mailprotect.be. GeoIP Country Edition: NL, Netherlands GeoIP City Edition, Rev 1: NL, 07, Noord-Holland, Amsterdam, 1101, 52.308399, 4.941700, 0, 0 GeoIP ASNum Edition: AS200039 Hydra Communications Ltd
Too bad the .club domain owner details are protected (for privacy reasons). You can only get the registration details by submitting a RDDS request. A regular WHOIS-search only provides the details below:
Domain Name: adqwsad.club Registrar URL: http://key-systems.net Updated Date: 2019-04-19T00:12:30Z Creation Date: 2019-04-19T00:05:16Z Registry Expiry Date: 2020-04-19T00:05:16Z Registrar: Key-Systems LLC Registrar IANA ID: 1345 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Registrant Name: Registrant Organization: Registrant Street: Registrant Street: Registrant Street: Registrant City: Registrant State/Province: Registrant Postal Code: Registrant Country: NL Registrant Phone: Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: ns1.datatron.network Name Server: ns2.datatron.network DNSSEC: unsigned
Be wary of any email supposedly coming from your bank. Check the links used, if they do not match the original domainname your bank uses do not click on it! Even better; never click on these links but open up the banking website in a browser your self. Read more about phishing and secure online banking from Van Lanschot (in Dutch).