Email Security Reading Time: 2 minutes

Comodo has detected a new Wells Fargo scam email that appears to be sent via a server in United States.

ransomware

The email contains a clickable company logo, which directs the user to the Wells Fargo official website. The links on the page are legitimate—except for one in the body of the text: “please follow the link below and fill in the necessary fields.” While the URL appears legitimate, the hyperlink is not: (http://www.bidsman.com/chat/templates/wellsfargo/wells-account-update-info/trust-update-paymnet-account-wells-info/wells%20fargo-account-update-naw-lls/lls-naw-update-wells-info/index.html).

The “bidman.com” domain is not blacklisted, which means it hasn’t been classified as a known threat, but due to its behavior, the domain cannot be trusted.

The complete URL is not active at this time, but Comodo’s Antispam Lab has learned that the site is a spoof of the legitimate Wells Fargo login page.

The likely intention here is to forge Wells Fargo accounts in a nefarious effort to collect credit card and billing information. The instructions request users to submit their username or Social Security number, in addition to submitting their password. The user sees the message as having been sent from “Service Wells Fargo,” but the email is actually sent from “host26christianwebhost.com,” and IP address of this domain appears blacklisted.

The message reads as follows:

Dear customers:

Wells Fargo is constantly working to increase security for all Online Banking users. To ensure the integrity of our online payment system, we periodically review accounts.

Your account might be place on restricted status. Restricted accounts continue to receive payments, but they are limited in their ability to send or withdraw funds.

To lift up this restriction, you need to login into your account (with your username or SSN and your password), then you have to complete our verification process. You must confirm your credit card details and your billing information as well. All restricted accounts have their billing information unconfirmed, meaning that you may no longer send money from your account until you have updated your billing information on file.

To initiate the billing update confirmation process, please follow the link bellow and fill in the necessary fields:

https://www.wellsfargo.com/

Thank you,

Wells Fargo – Online Banking

The message redirects the user to “http://www.bidsman.com/chat/templates/wellsfargo/wells-account-update-info/trust-update-paymnet-account-wells-info/wells%20fargo-account-update-naw-lls/lls-naw-update-wells-info/index.html” which initiates the following process:

1. The user is redirected to a fake Wells Fargo login page
2. Any and all user credentials–-including erroneous account information-–will lead to an extended loading process
3. Users are then requested to update their credit card and billing information
Wells Fargo urges its users to report suspect emails:
To minimize such types of malicious attacks, Wells Fargo clearly says not to click links, open any attachments or respond to emails coming from unknown and suspicious persons. However, if you receive a suspicious email forward the email to the bank.

START FREE TRIAL GET YOUR INSTANT SECURITY SCORECARD FOR FREE