How to understand this "phishing" mail?

Lately I received a number (phishing) mails from a bank asking for
confirmation. In the message, there was a URL:

https://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F2 1=IB&F22=ClientSign&LANG=EN

However, when I moved my mouse pointer to the beginning on the URL, at
the bottom of the screen, it showed the following instead.

http://163.23.70.201/http/www1.royalbank.com/cgi-bin/rbacces s/F21=IB&F22=ClientSign&LANG=EN/

First of all, the link seems not using SSL (http instead of https).
Secondly, when I pinged 163.23.70.201, there was no response.

I hesitate to click on the https:// link.

Could someone help me understand what is it all about? Any info is
much appreciated.

A Monk

Re: How to understand this "phishing" mail?

"a_monk" writes:

>Lately I received a number (phishing) mails from a bank asking for
>confirmation. In the message, there was a URL:

They were not from the bank. They pretended to be from the bank.

>https://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F 21=IB&F22=ClientSign&LANG=EN

That was probably a genuine link to Royal Bank of Canada (which owns
the domain "royalbank.com".

>However, when I moved my mouse pointer to the beginning on the URL, at
>the bottom of the screen, it showed the following instead.

>http://163.23.70.201/http/www1.royalbank.com/cgi-bin/rbacce ss/F21=IB&F22=ClientSign&LANG=EN/

That was the phish url.

In html, you can use



The scammer sets the link to follow to his domain, but the display
information to be the actual bank link.

>First of all, the link seems not using SSL (http instead of https).
>Secondly, when I pinged 163.23.70.201, there was no response.

It's in Taiwan. Maybe it was down, or maybe it was blocking ping.

>I hesitate to click on the https:// link.

It is usually safe as long as you don't enter any data, and don't
accept any download files. But there isn't any point in clicking
unless you are investigating the phish.

>Could someone help me understand what is it all about? Any info is
>much appreciated.

If they can trick you into entering data such as account number and
network password for your bank account, then they can use that to
steal money from your account.

Re: How to understand this "phishing" mail?

On Mar 16, 12:29 am, Neil W Rickert wrote:
> "a_monk" writes:
> >Lately I received a number (phishing) mails from a bank asking for
> >confirmation. In the message, there was a URL:
>
> They were not from the bank. They pretended to be from the bank.
>
> >https://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F 21=IB&F22=...
>
> That was probably a genuine link to Royal Bank of Canada (which owns
> the domain "royalbank.com".
>
> >However, when I moved my mouse pointer to the beginning on the URL, at
> >the bottom of the screen, it showed the following instead.
> >http://163.23.70.201/http/www1.royalbank.com/cgi-bin/rbacce ss/F21=IB&...
>
> That was the phish url.
>
> In html, you can use
>
>
>
> The scammer sets the link to follow to his domain, but the display
> information to be the actual bank link.
>
> >First of all, the link seems not using SSL (http instead of https).
> >Secondly, when I pinged 163.23.70.201, there was no response.
>
> It's in Taiwan. Maybe it was down, or maybe it was blocking ping.
>
> >I hesitate to click on the https:// link.
>
> It is usually safe as long as you don't enter any data, and don't
> accept any download files. But there isn't any point in clicking
> unless you are investigating the phish.
>
> >Could someone help me understand what is it all about? Any info is
> >much appreciated.
>
> If they can trick you into entering data such as account number and
> network password for your bank account, then they can use that to
> steal money from your account.

Many many thanks for the detailed explanation.

Warmest regards,

A Monk

Re: How to understand this "phishing" mail?

"a_monk" writes:

>Lately I received a number (phishing) mails from a bank asking for
>confirmation. In the message, there was a URL:

As you notice, they are NOT from a bank. They are from someone posing as a
bank. That is why this is called phishing. They are dangling nice looking
bait ( the bank request) hoping you will bite.


>https://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F 21=IB&F22=ClientSign&LANG=EN

>However, when I moved my mouse pointer to the beginning on the URL, at
>the bottom of the screen, it showed the following instead.

>http://163.23.70.201/http/www1.royalbank.com/cgi-bin/rbacce ss/F21=IB&F22=ClientSign&LANG=EN/

Yes, they are NOT the bank. They are someone trying to get your bank
information, including your password, in hopes they can help you empty your
account.


>First of all, the link seems not using SSL (http instead of https).
>Secondly, when I pinged 163.23.70.201, there was no response.

>I hesitate to click on the https:// link.

Yes, I would hesitate as well. In fact I would not only hesitate, I would
refuse. And I would remember that banks do not send out this type of email.



>Could someone help me understand what is it all about? Any info is
>much appreciated.

Sure. Fill out the web page and watch your savings shrink.
Or just erase the email and remember how you almost got caught.


>A Monk