What follows is an email exchange between myself and the CIBC fraud division. I am attempting to report an email as a phishing attempt, as one can clearly see.
Note that anything in yellow is either a comment or a redacted section.
Hi there,
I just got an email alleged to be from service@cibc.com asking me to verify my account. The phishers sent this particular email to about 25 email addresses at a time.
Attached is a file labelled “cibc.htm”. When opened, this file looks like this: http://nickheer.com/go/xxxx [URL redacted per CIBC request] (jpg screenshot).
The headers for the email sent are as follows:
From: SERVICE@CIBC.COM
Subject: CIBC - Verify your information.
Date: April 21, 2010 12:43:45 PM MDT
To: [REDACTED — my email]
re+urn-Path: service@cibc.com
Envelope-To: [REDACTED — my email]
Delivery-Date: Wed, 21 Apr 2010 14:45:06 -0400
Received: from impinc02.yourhostingaccount.com ((10.1.13.102) helo=impinc02.yourhostingaccount.com) by mailscan21.yourhostingaccount.com with esmtp (Exim) id 1O4ev4-0004Gi-0P for [REDACTED — my email]; Wed, 21 Apr 2010 14:45:06 -0400
Received: from hairarts.sd.cn ((60.209.234.118)) by impinc02.yourhostingaccount.com with NO UCE id 8Jl11e04T2Zwaac02Jl43T; Wed, 21 Apr 2010 14:45:06 -0400
Received: from localhost (localhost (127.0.0.1)) by hairarts.sd.cn with SMTP id o3LIsDRx000737; Thu, 22 Apr 2010 02:54:13 +0800 (CST)
Received: X-SAFEMAILER-CHANNEL 212.178.122.124,10.0.0.2,info,SMTP,SERVICE@CIBC.COM,
Received: from User (atwork-124.r-212.178.122.atwork.nl (212.178.122.124)) (authenticated bits=0) by hairarts.sd.cn with ESMTP id o3LIrEnH000662; Thu, 22 Apr 2010 02:53:16 +0800 (CST)
X-En-Origip: [REDACTED - an IP address]
X-En-Impsid: 8Jl11e04T2Zwaac02Jl43T
Message-Id: 201004211853.o3LIrEnH000662@hairarts.sd.cn
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=”—-=NextPart000011E01C2A9A6.2F151E64”
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Safemailer-Msgid0: o3LIrEnH000662 20100422
X-Safemailer-Msgid: o3LIrEnH000662 20100422
X-Safemailer-Channel: [REDACTED - more IP addresses],info,SMTP,SERVICE@CIBC.COM,25,
X-Safemailer-Fromip: [another IP address]
The key part would be the “message-id” header.
I do not have an account with CIBC (nothing personal), but I think this is something worth looking into. I did not send any information to be phished.
I will also forward the email.
Cheers Nick
Where it says “JPG screenshot” in that email, I bolded, to emphasize that it was only a screenshot. Also, it was clearly from the same domain as this email I sent them.
Following this, I also forwarded them the original email.
This is the exchange of emails that followed:
On 2010-04-21, at 1:50 PM, Internet Identity wrote:
Hello Team, [I still don’t understand if they sent this to the entire company or if they sent it to me and thought I was named “Team”]
The following image is being used in a phishing attack against CIBC:
http://nickheer.com/go/xxxx [URL redacted — this image was clearly a sample screenshot, as indicated in the previous email. Also, it was a friggen jpg]
Please remove this image as soon as possible. We greatly appreciate your help.
Regards,
–
Security Incident Response Team
Internet Identity – on behalf of CIBC
Expert Phishing Prevention and Response
http://www.internetidentity.com
TEL: +1-253-590-4100, ext 0
FAX: +1-425-699-6597
Nick Heer wrote:
Hi,
I sent an email with a screenshot (that link) which showed what would happen if one were to visit the phishing link.
It is not a phishing attempt in of itself.
If you’d still like me to remove it, please let me know
Nick
On 2010-04-21, at 2:20 PM, Internet Identity SIRT wrote:
Hi Nick,
The file is being used as a component of a phishing attack. [Note previous email where I explicitly stated it was not] Please remove it unless you are using it for legitimate purposes.
Best Regards,
Nick Summerlin
Fraud Analyst
Internet Identity
alert@internetidentity.com
+1(888)239-6932
+1(253)590-4100
Nick Heer wrote:
Hi Nick
I was using it as a demonstration of a phishing attempt, not as a component of an attack.
That said, I can remove it if you wish.
Nick
On 2010-04-21, at 2:44 PM, Internet Identity SIRT wrote:
Steven, [At least get my name correct.]
CIBC is still requesting the file http://nickheer.com/go/xxxx to be removed. Please do remove the file.
Regards,
–
Security Incident Response Team
Internet Identity – on behalf of CIBC
Expert Phishing Prevention and Response
http://www.internetidentity.com
Nick Heer wrote:
Hi
The file is gone.
Nick [I added that emphasis in the email.]
I then asked if they needed any more information on the original phishing email (what I originally contacted them about). They replied that they didn’t. Since I fully complied with their removal request (despite how unnecessary it was), I anticipated the matter would go away.
I was wrong. This is the email I received at 9:28 PM from my web host:
Hello,
We would like to inform you that, we have suspended your website because we have received a complaint from the third party that your Website is hosting Phishing content at the URL: http://nickheer.com/go/xxxx . It is against our Terms of Service.
It is our belief that someone either obtained your password and account login information, or uploaded this file through a vulnerable script. Please to go through all of your files and remove any that you did not place there. If you find any files you cannot delete, you should send us a list so that we can delete. Once you delete the hacked folder, you need to delete/secure all scripts on your account.
You need to remove all the phishing files using FTP. Please delete/secure all scripts and get back to us, so that we can revoke the suspension of your website.
Please reply to this e-mail with the requested information, so that we can assist you further.
Sincerely,
Rina Payne
Support Specialist
Obviously I’m not expecting my web host to be knowledgeable about the prior email exchange. Furthermore, note that the original email exchange occurred nearly 8 hours prior to CIBC contacting my web host.
Anyway, I emailed my web host back:
Hi Rina
This has resulted in a miscommunication from CIBC. Here’s what really happened:
I sent CIBC an email today containing a screenshot of a phishing URL. The phishing url was not at nickheer.com, however the screenshot to demonstrate to them the contents of that other site were located at that URL. I attempted to explain this, however they assumed I was the one doing the phishing.
CIBC was confused about this and I complied with their request to remove the image, despite it not at all being a phishing attempt.
The image has been removed via FTP. My account has not been compromised.
I hope this clears things up. Please email me if you need more information.
Thank you,
Nick
I also sent the following email to CIBC’s fraud division. I was forced to send it via another email account, as my primary account was suspended.
To whom it may concern
Early this afternoon, I sent an email to this address from my email account [REDACTED — my email]. I was reporting a phishing attempt sent via email.
In the email I sent to CIBC, I attached a screenshot (only a screenshot, in jpg format) of the phishing attempt, to demonstrate (only to demonstrate) what the attempt was, and where it was coming from. The attack was not located at nickheer.com. The only thing at nickheer.com was a screenshot of what the attack looked like, in order to provide more information to the CIBC fraud division.
The person who received my email either was confused as to what a screenshot was, or did not read my email thoroughly and was confused as to the phishing attempt. They assumed, incorrectly, that the screenshot I attached was the phishing attempt. Again, the screenshot was merely a demonstration of the attempt. They asked me to remove the screenshot from where it was hosted. I asked why, clarifying that it was only a screenshot and not the phishing attempt. They still did not understand. To avoid further confrontation, I removed the image from my web server.
Someone in the fraud division has now contacted my web host and has disabled my account there, reporting it as a phishing attempt, despite my repeated attempts to explain to CIBC that I have never, and will never, attempt such an attack. I now have to thoroughly explain my position, repeating the above in an attempt to reactivate my account, perhaps costing me business and definitely costing me time.
I would appreciate if someone in the CIBC fraud division could email abuse@fatcow-inc.com mentioning my website (nickheer.com) and clarifying that it was not a phishing attempt.
Thank you,
Nick Heer
Quite offended at this point, as CIBC has now called me a criminal and forced the suspension of my web hosting.
I can’t post the reply I got from CIBC as it’s apparently confidential. However, they basically said they apologize, but also decided to give me one last kick. They mentioned that I should have emphasized it was a screenshot.
As mentioned, I don’t have an account with CIBC. Now, I likely will never open one there.