Our website would like to use cookies to store information on your computer. You may delete and block all cookies from this site, but parts of the site will not work as a result. Find out more about how we use cookies.

Login or Register

Powered by
Powered by Novacaster
Nationwide / CitiBank / Halifax Email scam
by Novacaster Administrator at 14:07 26/10/03 (Forum::Technical Advice::General)
Unless you're familiar with the way that web addresses ('URLs') work, at first sight the following email looks like a legitimate request from the Nationwide Building Society for you to supply them personal information about your account. But it isn't that at all...
Here's the email

Return-Path: <verify94@nationwide.co.uk>
Received: from ppp-67-119-107-10.dialup.snfc21.pacbell.net (ppp-67-119-107-10.dialup.snfc21.pacbell.net [])
by ***.***.co.uk (8.11.6/8.11.6) with SMTP id h9Q0DGu13645
for <***@****.co.uk>; Sun, 26 Oct 2003 01:13:20 +0100
Received: from derechoshumanos.com [] by ppp-67-119-107-10.dialup.snfc21.pacbell.net (Postfix) with ESMTP id 071960C0555A for <***@***.co.uk>; Sun, 26 Oct 2003 12:16:42 +0000
Date: Sun, 26 Oct 2003 12:16:42 +0000
From: Verification <verify94@nationwide.co.uk>
Subject: Nationwide E-mail Verification: ***@***.co.uk
To: *** <***@***.co.uk>
References: <4596BBA6CA07284B@***.co.uk>
In-Reply-To: <4596BBA6CA07284B@***.co.uk>
Message-ID: <F530E90AA5FF0EC4@nationwide.co.uk>
Reply-To: Verification <verify92@nationwide.co.uk>
Sender: Verification <verify110@nationwide.co.uk>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

Dear Nationwide Bank Member,

This email was sent by the Nationwide server to verify your e-mail
address. You must complete this process by clicking on the link
below and entering in the small window your Nationwide Customer
Number, Passnumber and Memorable Data.
This is done for your protection --- because some of our
members no longer have access to their email addresses and
we must verify it.

To verify your e-mail address and access your bank account,
click on the link below. If nothing happens when you click on the
link (or if you use AOL), copy and paste the link into
the address bar of your web browser.


Thank you for using Nationwide!

This automatic email sent to: ***@***.co.uk
Do not reply to this email.

(The actual recipient address and other private information has been masked with ***'s)

The key part to look at is the web address you're being invited to click:


Although this looks like you would go to the www.nationwide.co.uk site, in fact you wouldn't.

Website addresses or URLs, for certain legitimate uses, may be constructed like this:


... taking advantage of the fact that the Internet protocol allows for a URL to contain username and password credentials necessary to log in to a target website.

The target website is the string that immediately follows the first occurrence of the @ symbol in the URL.

So - if we take a look at the URL in the email we can see that it breaks down like this:


The 'username' portion is wwww.nationwide.co.uk, the 'password' bit is ac=H02qFTcX3X225ClF4JmK and that actual target site is the webserver at ShOrTwAy.To.

(.To is Tonga, by the way, and the username and password bits can be completely random - they don't have to relate to anything other than an attempt to misdirect you - in this case to make you think you're going to www.nationwide.co.uk when you aren't)

So someone at the ShOrTwAy.To website has set up a form that people who fall for this email scam may fill in with their secret account data - thereby giving the owners of that website direct access to their account, all the time assuming they've only sent their details to the building society itself.

If in doubt, always call the organisation purporting to be the originator of any particular email that requests you enter sensitive information into a website - especially if it's financially-related.

Remember, if you see a URL that is in the form:


Then the actual website you will be sending your browser to is the one *after* the first @ symbol.

We've had reports of these with Nationwide Building Society, Halifax Building Society and CitiBank pseudo-identities - there may be others.

Novacaster Community Admin

eBay Email Scam >>
View Comments (Threaded Mode) Printer Version
Nationwide / CitiBank / Halifax Email scam Novacaster Administrator - 14:07 26/10/03
Shortway.to Simon - 14:53 26/10/03
This is a webserver hosting service operated, apparently, by a Russion outfit. NB: This doesn't mean it's a Russian scam, just that whoever's running the scam is using a Russian web server to catch the clicks.
More examples Simon - 09:16 10/11/03

This URL will send requests to the webserver at:


(.RU is Russia)

Here comes another one.... Simon - 10:50 11/02/04

This one ends up on a server ( in Korea.


Re: here comes... Bruce Ure - 11:12 11/02/04

Yerp I had that one recently... cheeky buggers.


BBC Online story Simon - 21:26 24/02/04
MBNA are the latest to have someone run a phishing expedition against them:

story here