Fraudsters use encoded urls to target Barclays accounts

Customers of Barclays Bank have received electronic mails that use url encoding and a widely publicised bug in Internet Explorer to obscure the name of the taregt fraud site. The use of url encoding seems to be an innovation for this type of mail, albeit a predictable one.

Viewing the source code of the e-mail link will usually reveal the hoax, showing the target URL is unrelated to the bank. In this case, the e-mail link is encoded with hexadecimal numbers, with each encoded character beginning with "%". Thus, the source code looks like:


http://ibank.barclays.co.uk%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01

%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01@%77%77%77%2E%6E%65%77%79%65%72
%73%6D%2E%63%6F%6D:%38%30/%31%2C%2C%6C%6F%67%6F%6E%2C%30%30%2E
%70%68%70
The '%01' characters exploit a bug in Microsoft's Internet Explorer web browser which obscures the appearence of the url. The enocded characters makes it tricky for recipients to spot the "@" sign and "://" that give away the concealed URL of the target web page. The real URL is

http://www.newyersm.com:80/1,,logon,00.php

which no longer resolves, but previously was in a netblock owned by Affinity Internet, Inc.

The text of the mail reads:

From: Barclays IBank support [mailto:service@ibank.barclays.co.uk]
Sent: 08 January 2004 13:05
To: XXXXXXXXXXXXXXXXXXXXXXXXXX
Subject: Important your Barclays IBank account information.
Dear Barclays IBank Customer!
As part of our continuing commitment to
protect your account and to reduce the instance
of fraud on our website, we are undertaking a
period review of our member accounts. You are
requested to visit our site by following the link
given below. This is required for us to continue
to offer you a safe and risk free environment to
send and receive money online, and maintain the
Barclays IBank Experience. In success you will be
redirected to the Barclays IBank home page. Thank you.

"We are aware that some customers are receiving a message from an email address posing as Barclays Bank," Barclays told customers in a message on its IBank login at the URL being spoofed. "Barclays is in no way involved with this scam email and the website does not belong to us. ... Barclays does not send any emails to customers requesting your security or any other confidential information."

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.