Fishing scams

Dutch phishing mail: Van Lanschot – Verleng uw registratie van de Login App

Subject: Verleng uw registratie van de Login App
From:   "Van Lanschot" <berichtbox@ewdsqwa.nl>
Date:   Fri, 19 Apr 2019
To:   info@yourdomain.tld
Reply-To:   berichtbox@ewdsqwa.nl

Geachte relatie,

Wij stellen u graag vroegtijdig op de hoogte van wijzigingen die plaats zullen vinden in Mijn van Lanschot of de Login App.

Binnenkort vervalt de toegang van een- of meerdere apparaten tot uw Login App. Om te voorkomen dat uw toegang tot de app wordt geweigerd kunt u de app bijwerken en de toegang voor het apparaat in kwestie verlengen.

U bent verplicht jaarlijks uw apparaat of toestel opnieuw te registreren of te verlengen in verband met onze veiligheidsstandaarden omtrent Mijn van Lanschot. Om uw registratie te verlengen heeft u uw digipas nodig. Maakt u nog gebruik van een webber? Vraag dan eerst een digipas aan. De Webber is vanaf 1 maart 2019 niet meer bruikbaar.

Login App verlengen

Alvast bedankt voor uw medewerking.

Met vriendelijke groet,
Van Lanschot


Scammer Alert

Scam alert! The E-mail above is a SCAM. It’s a Phishing scam (in Dutch), tying to get your bank-details by luring you to a fake bank website. The message is completely fake. The real Van Lanschot Bank did NOT send this. Be warned!

If you’ve received this by e-mail than mark it as SPAM (if possible) and/or DELETE it.


The link in this e-mail leads to a fake Van Lanschot Bank website (on url https://adqwsad.club/vanlanschot/), see screenshot below:

Van Lanschot bank fake phishing website

Yes they even included a captcha field which must be ticked off to continue submission! Or you’ll get the following (mostly empty) page:

Van Lanschot phishing website Captcha fail page

After submitting your account details you will get the following screen with a spinning wheel which keeps spinning forever.

Van Lanschot bank fake phishing website - Page after logging in

I’d expected I would have to give more details (passwords etc) but appearently they have enough with your username and digipas-number. It seems the website was (also?) designed to infect the visitor with some form of malware as it tries to push multiple files to the browser:

The ip-address hosting this website is located in Iran:

Domainname: adqwsad.club
IP-address: 185.94.98.211
GeoIP Country Edition: IR, Iran, Islamic Republic of
GeoIP City Edition, Rev 1: IR, N/A, N/A, N/A, N/A, 35.696098, 51.423100, 0, 0
GeoIP ASNum Edition: AS204213 Netmihan Communication Company Ltd

The sender address and sending domain is ‘ewdsqwa.nl’ which looks like a random domain name setup with DKIM to avoid being spotted as spam. It was hosted at Easyhost.be in Belgium. The target of this phishing mail spam seems to be mainly (Dutch) businesses:

Domainname: ewdsqwa.nl
IP-address: 185.144.100.8
ewdsqwa.nl mail is handled by 50 mx.backup.mailprotect.be.
ewdsqwa.nl mail is handled by 10 mx.mailprotect.be.
GeoIP Country Edition: NL, Netherlands
GeoIP City Edition, Rev 1: NL, 07, Noord-Holland, Amsterdam, 1101, 52.308399, 4.941700, 0, 0
GeoIP ASNum Edition: AS200039 Hydra Communications Ltd

Too bad the .club domain owner details are protected (for privacy reasons). You can only get the registration details by submitting a RDDS request. A regular WHOIS-search only provides the details below:

Domain Name: adqwsad.club
Registrar URL: http://key-systems.net
Updated Date: 2019-04-19T00:12:30Z
Creation Date: 2019-04-19T00:05:16Z
Registry Expiry Date: 2020-04-19T00:05:16Z
Registrar: Key-Systems LLC
Registrar IANA ID: 1345
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID:
Registrant Name:
Registrant Organization:
Registrant Street:
Registrant Street:
Registrant Street:
Registrant City:
Registrant State/Province:
Registrant Postal Code:
Registrant Country: NL
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: ns1.datatron.network
Name Server: ns2.datatron.network
DNSSEC: unsigned

Be wary of any email supposedly coming from your bank. Check the links used, if they do not match the original domainname your bank uses do not click on it! Even better; never click on these links but open up the banking website in a browser your self. Read more about phishing and secure online banking from Van Lanschot (in Dutch).

Post Author: Webmaster

Leave a Reply

Your email address will not be published.