Massive Phishing Campaign Hits Multiple Email Services

nandemoari writes "It seems as if the massive phishing campaign reported yesterday was not specific to Hotmail, as was initially believed. According to a report by the BBC, many Gmail and Yahoo Mail accounts have also been compromised. Earthlink, Comcast, and AOL were also affected. While the source of the latest attacks has not been determined, many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail. Microsoft has done their part in blocking all known hijacked Hotmail accounts and created tools to help users who had lost control of their email. An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.' On their end, Google responded to the attacks by forcing password resets on the affected accounts."

Wow!

[Anonymous Coward]

An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.'

That's amazing. I've got the same combination on my luggage.

Re:

[Anonymous Coward]

lol

But seriously, what kind of chickenshit mail server policy even allows that password in the first place?

OH... hotmail.. enough said...

Re:

[conureman]

There not being a whole lot to lose (or any porn that would get me in trouble ;), if my shit gets compromised, I use the same password on everything. (eight letter word, YMMV) Of course, I'm not afraid to format the HDD and re-install the OS when my foolishness catches up with me, and I DO protect my router,as well. The only thing I worry about is if my node became a SPAMBot, but I check my traffic periodically to avoid that.(Ain't happened yet, but I've had to fix my friend's boxes a few times). I do have

Re:

[blackest_k]

problem here is when your account gets hacked your contacts list gets emailed and your contacts get phished. I had two emails the other week supposed to be sent from friends account to see if i was blocked on msn by them. first thing it wanted was my hotmail account and password.

I'm not stupid enough to fall for that but I know people (obviously) who are and might trust an email which appears to come from someone they trust.

Re:

[conureman]

Not that I'm completely antisocial, but I do not and never have had a contacts list. The only email I receive is from my son's school, and I never click on any unsolicited e-mail. I don't frequent commercial websites either, except for news, and if they give me unwanted popunders they get blocked at the router. I mainly surf on USDA and Forest Service sites, and some Canadian and British Columbia government sites. I seldom encounter problems. I actually average about three SPAM E-mails per month, so it's no

Re:

[blackest_k]

I'm a little puzzled, I think we are perhaps divided by a common language. My contacts list is a list of known email contacts with names and associated email address stored within my email program. I remember my friend and families names not their email address so when I want to email them I use their name and the software offers the email address associated with them.

If there are two or more people you email I would consider that a list , perhaps a short one of contacts.
I think you must be pretty rare as s

Re:

[conureman]

I grew up in Livermore, California, and developed a deep appreciation for life-giving shade. I am trying to learn what it takes to create a viable environment for life, in the face of urban obstacles &c. The hippies are calling it "sustainability", I'm just trying to set up an environment for my grandchildren, and the salmon that depend on my little hectare of Canadian watershed. No, it isn't work related, I am a tree geek.

Re:

[tomhudson]

My question is "why are they storing email passwords in plaintext"?

Of course, they're probably not, just comparing the hash values of $usr_pw" and "12345", but that is also the most common password on voice email boxes.

One guy up here was convicted - TWICE - for "hacking" into police detectives' voicemail by just randomly dialing extensions, and entering "12345". You'd think after the first conviction, the cops would, you knw, CHANGE THEIR FRIGGING PASSWORDS. Even 38258 (FUCK U) would have been bette

Re:

[netsharc]

The passwords are in plain text because the script kiddies phished them, and that's the list that got leaked.

Re:RTFA

[conureman]

According to TFA,these were collected by phishing. OTOH 12345 could be "brute forced" by mere human guess-work. sheesh. My eight letter password could be brute-forced by machine in very short order, but it's all relative.

Re:

[eihab]

On a side note, try dialing numbers like 1-800-F**K-OFF. Last time we checked (party, late at night) they were assigned.

It could have been any of the following (or more):

1800-dual-Ned
1800-dual-med
1800-dual-nee
1800-dual-odd
1800-dual-ode
1800-dual-off

Courtesy of http://www.phonespell.org/ [phonespell.org]

Re:

[shentino]

What I don't like is being forced to jump through hoops to remember a password.

Recently gmail disallowed passwords shorter than 8 characters, and as a result I had to memorize some funky 14-digit number

Re:

[clone53421]

gmail disallowed passwords shorter than 8 characters
and as a result I had to memorize some funky 14-digit number

I fail to see the line of reasoning that prevented you from choosing an 8-character password.

Re:

[Anonymous Coward]

Saved by 123456!

Take that haxor!

Remind me

[Dareth]

"Remind me to change the password on my luggage!"

Re:Wow!

[jpmorgan]

I'm sure most /.ers actually filled that part in mentally when they read the summary.

Re:

[Havokmon]

So he top posted. How appropriate.

Re:

[Mister Whirly]

No, real geeks use 11000000111001 (12345 in binary for you non-geeks)



There are 10 types of people in this world - people who use this lame joke, and people who don't.

Re:

[shentino]

So the empty string wouldn't be valid?

Re:Wow!

[clone53421]

From the blog of the guy who actually did the research [acunetix.com], I'm deducing that those probably weren't valid password.

An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin.

...Even more, the phishing kit used most probably was badly designed, since it was one that didnâ(TM)t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials.

  * The list initially contained 10,028 entries.
  * After I've cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
  * There are 8931 (90%) unique passwords in the list.
  * The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
  * The shortest password was 1 char long : )

In other words, the phishing scheme didn't bother to verify that the passwords were any good. Heck, it didn't even verify that a password was entered (he did say he cleared out all the username/no password entries). Not surprisingly, it also didn't make sure the password was of the proper length to be valid (this would have kicked out all the empty string passwords anyway).

tl;dr: dumb people clicked the phishing link and entered their passwords. Smart people clicked the link and entered garbage. Garbage = bad data, which is what he ended up finding. (Seriously... I'm sure there are other people here who would knowingly go to the phishing page and deliberately enter garbage just to screw with the dicks who are trying to scam accounts.)

Re:

[conureman]

There is a friend of mine who shall remain nameless. About ten years ago, he would trace each SPAM that arrived in his mail server, and contact the ISP admin to report the abuse, and demand action to curb it. Ah, the good old days...

HA! My password is 123456

[objekt]

With an extra digit for security! ;-)

I have a real programmer's password

[Biff Stu]

012345

Re:

[93 Escort Wagon]

012345

That's why Microsoft thought "12345" was a reasonably secure password - they figured most hacking and phishing attacks would be coming from Linux or BSD boxes, so those people would never think of starting to count with a "1".

Re:

[DarthVain]

Don't you mean: 11000000111001 or 3039

Re:

[noidentity]

And I have a real C programmer's password:

012345&*M%HJOJNVFGPLkoPWHJrcp,k0cY$PO JO9 P[-97 YTJJY93528 [SIGSEGV detected]

Re:Preaching to the church

[TheRaven64]

For your example, you might consider using a park that has some significance to you and capitalise the proper nouns, and numbers that actually make sense, to get something that is easier to remember. For example:

'Ten minutes to Central Park, and eat pretzels' becomes 10mtCP,&ep, which is trivial to remember for you (well, it is if you live ten minutes from Central Park and like pretzels). Keeping the punctuation in doesn't make it any harder to remember but adds another non-alphnumeric character. And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember, turns in to a ten symbol password, containing letters (upper and lowercase) and punctuation, which is incredibly difficult to brute force.

Re:Preaching to the church

[clone53421]

And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember,

Real grammar nazis also know that it wasn't a sentence.

Re:

[Anonymous Coward]

Real grammar nazis also know that it wasn't a sentence.

I love you. Will you marry an anonymous coward?

Re:

[clone53421]

Your Relationship with Anonymous Coward (666)
Sorry, this is not an option.

Doesn't look like it [slashdot.org]. Sorry.

Re:

[Romancer]

This is all well and good until you happen upon a website, network, or system that hasn't thought to allow all special characters in the password field. This is the other side of password theory that admins don't get. If you want really secure passwords, don't limit what they can be made of. Some don't allow or keep uppercase, some don't allow non alphanumeric characters. So your password must be slightly different than you would make by default and therefore remember on the first try after a while not usin

Re:

[TheRaven64]

With the Psion Series 3, you could enter characters by their ASCII code (no unicode, this was 1993) by holding down a modifier. I thought this would be great for a password; no one would ever guess that they had to hold down a modifier while entering some digits in the middle of the password. It turned out that the password entry box in the settings pane did, indeed, allow this kind of thing. Unfortunately, the first time I locked the device afterwards, I discovered that the password entry box for unlock

Re:

[Drakkenmensch]

This short sentence, which anyone can remember, turns in to a ten symbol password, containing letters (upper and lowercase) and punctuation, which is incredibly difficult to brute force.

I'm personally a fan of made-up words that have asolutely zero significance to anyone but me.

Re:

[TheRaven64]

Then you change your password, obviously...

Re:

[Jaguar777]

If this becomes standard practice I predict the new common password will be "The quick brown fox jumps over the lazy dog".

Re:

[neurovish]

I know I'm preaching to the church but a good way to make a password is to make up a sentence and take each first letter, convert some to capitals and numbers and you will never ever forget it.

It is like a walk in the park. iilawitp iiLawitp iiL4wi7p voila!

...or you could just use "It is like a walk in the park." and have something that couldn't be bruteforced in a few hours.

Re:

[crunch_ca]

From the FA, the longest password hacked was: "lafaroleratropezoooooooooooooo" (30 characters).

This was a phishing attack. The strength of the password didn't matter.

The article talks about analysis of password data and doesn't really point out anything we didn't know already.

Re:HA! My password is 123456

[ballpoint]

Mine is 123455. I have appended a checksum digit to make sure I don't enter a wrong password by mistake.

12345?

[Zortrium]

That's the kind of thing an idiot would have on his luggage!

Re:

[FJGreer]

But that's what's on my luggage!

Strong password

[war4peace]

See, that's why they got their accounts hacked. I use 67890 on all my accounts so I'm sure they'll never get hacked :)

Stronger password

[wsanders]

As a hypothetical, since length is really what matters, I wonder how long it would take before something like

01234567890123 or even 0123456789

would get guessed?

My experience is that short passwords (less than 7 chars) are the ones that get guessed, even if they are "good" ones that have a mix of letters, number, and punctuation.

Re:

[jonbryce]

If Microsoft use NTLM hashes on their server, then even 14 characters won't be good enough.

much hype on this story

[ei4anb]

for which definition of many?

$ grep gmail pwd.txt | wc -l
25

Re:

[Xtifr]

Yes, but overly specific to grep. "|wc -l" works with all sorts of commands, so it's often easier to stick with the most general solution, rather than trying to learn which specific commands have unnecessary, redundant features, unless performance is actually an issue. I often start with grep, and then realize that I've got to reduce the noise and mis-hits by extracting the fields I need with sed or some other tool, which is why I rarely bother to even remember that grep even has a "-c" option.

I don't know....

[Random2]

This all sounds a bit....phishy to me.

Where are the details?

[Kadin2048]

All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?

Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.

Re:

[royallthefourth]

That's all very interesting stuff, but even more importantly: how do I know if I've been affected?

Re:Where are the details?

[John Hasler]

> ...how do I know if I've been affected?

Are you a fool? If not you are ok.

Re:Where are the details?

[royallthefourth]

> ...how do I know if I've been affected?

Are you a fool? If not you are ok.

If the source is something like DNS poisoning, then it's not that simple. I already know my ISP to be a bunch of fools, but I have little choice in that matter.

Re:

[John Hasler]

The articles make it pretty clear that the sources are phishing attacks. In any case, though, the victim has to have used the same password for a Webmail account and a valuable one such as a bank account in order to be at risk of significant loss. In other words, be a fool.

Re:

[John Hasler]

> How many banks (and other online services) reset their account passwords by
> sending a link to your primary email account?

Only a fool relies on free webmail for important things such as communicating with banks, and only a fool does business over the Net with banks so incompetent as to email such links.

> 0wn the email, 0wn the person (all too often).

Which is why free webmail is not suitable for anything important.

Re:

[MeBot]

Your advice is not helpful. What percentage of fools think they are fools?

Re:

[swanzilla]

Your advice is not helpful. What percentage of fools think they are fools?

Approximately 12345 out of 123456.

Re:

[Dan541]

Only 8.1% ?

Re:Where are the details?

[jim_v2000]

Ah, but only a great fool would fall for such an attack, and I am no great fool, so clearly I cannot click the link. But you must know that I am no great fool and thus I cannot not click the link....

Re:

[Jeng]

It was an email saying that ones inbox was too full and to reply with username and password to have the limit increased.

Re:Where are the details?

[CrossChris]

How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link?

It's trivially easy - remember, the affected fools were Windows "users". There was a huge spam campaign that sent mails that appeared to a casual glance, to come from Hotmail. The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used. When they logged in to the spurious website, they were thanked for their prompt action, and then advised to log out and restart their browser "for security", and then to log in to Hotmail again (which, of course, would work normally).

There's one born every minute.....

Re:

[jc42]

The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used.

Yeah, and I've been getting phishing messages like that for several years now, at all of my email accounts. So why is it suddenly a big story? Did the MSM reporters just now discover this kind of attack? Or maybe there has been a huge increase in the incidence recently? Or maybe someone at /. just learned about what's been going on for years? I haven't notice

Re:

[maxwells_deamon]

From one article which was poorly written I think the plan was this:

1) From broken email account send to known email connections a note asking to visit cool shopping site
2) Victim goes to site and keylogger is installed
3) Sniff userid/password
4) Go to step 1

Not much actual phishing here but the article was poorly written and there were hints that they did not really know what was going on, they were just looking at list of broken accounts.

Re:Where are the details?

[vanyel]

Saturday, the small ISP I work for had about 1000 users targeting with phishing emails. It's becoming a nearly weekly occurrence, though that was the largest so far. I've had to setup scripts to scan the logs to see who got the messages, send them warning messages, then scan the logs again to see who replied and reset their passwords. In one case, we had a spammer using a responder's account to try to send spam within 2 hours of the response. Squirrelmail is the most common vector, with smtp auth not uncommon. I've had to impose strict rate limit controls on squirrelmail to keep from getting blacklisted all the time; I've got monitors to page me when smtp auth rates get too high, but the false positive rate is to high to impose hard limits at the moment, though we're heading in that direction.

BTW, it's not a good idea to respond to phishers with "F! off" etc: more than one responder doing that has found their address used shortly thereafter in the From of the next round of spam...

Re:

[Havokmon]

All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?

Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.

I run an email service, and regularly get emails like this:

From: Support@MyService
Subject: Service Upgrade

Please send your password so we can migrate your account to our new servers..

Everytime it happens I block the sender and recipient addresses, and grep the logs to verify nobody fell for it. If I'm quick enough, it doesn't matter, but people have fallen for it before I see the fake email.

Rick

Google Services phishing link

[Xelios]

This might be related [rvdh.ath.cx], seems you can generate emails that appear to come from Google's own mail servers by altering a regular old URL. From there it's a short step to include a phishing site in the body of the email asking the user to verify his account details, or whatever. Maybe other webmail services have similar links.

I saw the Hotmail version of this phishing mail yesterday, it looks like it comes from an @live.ca address and asks the receiver to verify his account details at a link included in the

Ban them.

[Magrovsky]

People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.

Re:Ban them.

[Killer Orca]

People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.

Hey I play with my purple internet buddy each time I go on the computer and have never hurt myself or anyone else!

Re:Ban them.

[ibsteve2u]

People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves.

Didn't they use to call that "AOL"?

Re:

[rocketPack]

Something tells me that the majority of these accounts were probably never really used. They are probably throw-away emails, created to get that "One day free pass" to various porn sites, or as general spam-traps.

I think it ought to be policy that derelict accounts, ESPECIALLY those which have weak passwords, be 'locked' after a period of inactivity. Reactivation could be accomplished with, say, a series of difficult CAPTCHAs so the account is always able to be 'revived' but not hijacked like this.

It just

Re:

[CCFreak2K]

As AC put it earlier (and got a 0 for it), phishing means everyone listed actually used their e-mail accounts at the time. What you're thinking of is if the databases of these services were somehow cracked...which is not the case.

Re:

[ignavus]

But the problem wasn't their passwords. The problem was that they clicked on a bad link, went to a dangerous site, and typed in their password.

Their password could have been the most ueber-elite 32 unicode-character password containing symbols from 5 different writing systems. It wouldn't have mattered.

Give a technological idiot a perfect password, and they will hand it over to the first social engineering attack they meet.

Re:

[Jeng]

Which then forces you to make a password specific for that login, which of course will not be remembered.

What I don't get...

[mrbene]

Is why it's a "leak" if phishing was the method used to acquire the list. Or why it's still referred to as a "bug". Some sort of bug in the Human OS, right near the gullibility logic loop?

Re:

[John Hasler]

> The fact that it's a free email account shouldn't mean you're allowed to set
> your password to *anything* you want.

And one of the things you should not be able to set it to is anything anyone else has already used. In other words, on these systems passwords should be unique.

Re:

[SnowZero]

Completely agree about the gullibility logic loop, but I consider it a (design) bug that such weak passwords are allowed.

If the data is obtained via phishing, it doesn't matter how strong the passwords are.

The fact that it's a free email account shouldn't mean you're allowed to set your password to *anything* you want. If anything, the fact that it's free is a better argument that the users should have to accept setting stronger passwords as a condition.

We don't have evidence that the short passwords are actually valid ones for the email services; the file was just a dump of what people entered into the phishing site. Some entries surely are valid, but some will just be deliberate garbage or accidental; my guess is that ")" falls into the latter category.

It's a Phisher, Not a Bug

[Rary]

...many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail.

Phishing is not a "bug". A bug would mean this was some Microsoft developer's fault. There is nothing a developer can do to prevent someone from conning someone else into giving up their password.

Re:

[jonbryce]

Their spam filter could do a better job of catching emails that puportedly come from Microsoft but didn't go from their servers.

PC Pro Got It Wrong (Slightly)

[Rary]

The PC Pro article linked to in the summary misquoted its own source. It claims that "12345" is the most common password, however the source it links to actually shows "123456" as the most common password. "12345" doesn't even make the list.

There really aren't that many users using those "common" passwords. Only 82 users use the top two passwords, which make up only 0.8% of all the passwords in the list. Only 1.56% of the accounts used a top-10 password.

The rest of the information at the Acunetix link is qu

Re:

[clone53421]

I wonder how many of the phished credentials were users with a clue entering bogus credentials just to fuck with whoever was trying to scam accounts. It doesn't appear that the phishing page tried to verify that the passwords were valid (much less correct).

31415

[bzzfzz]

News Flash: 10,000 Slashdot accounts compromised in phishing scam. Most common passwords were 31415 and 0xdecafbad.

Affected users have been placed on an isolated network where they can't do anything but post whinges about Microsoft and Apple to a web server that runs SSL using a self-signed certificate and actually follows the RFCs.

Re:

[neurovish]

News Flash: 10,000 Slashdot accounts compromised in phishing scam. Most common passwords were 31415 and 0xdecafbad.

Affected users have been placed on an isolated network where they can't do anything but post whinges about Microsoft and Apple to a web server that runs SSL using a self-signed certificate and actually follows the RFCs.

The slashdot crowd is supposed to be very US centric though...we would never "whinge" about anything.

Re:

[LanMan04]

Don't forget 0xdeadbeef!

Re:

[EkriirkE]

That's 0xbadf00d

Re:

[Karellen]

There's a version of /. that only contains the interesting stories and actually follows the RFCs?!? How do I sign up without changing my passphrase to something less than 40 characters?

No appreciation for the classics...

[neurovish]

Where are "sex", "secret", and "god"? Even love only makes a cameo at #17 in "iloveyou"

Re:

[Ksevio]

Probably stopped my minimum password lengths.

Re:

[carp3_noct3m]

Someones Hacking the Gibson! ---Ok my buddies are gonna hang me for that one...

Let's over-react, shall we?

[Mesa MIke]

Perhaps this is the reason that sometime during lunch, my employer (A well known NNSA National Laboratory in New Mexico) blocked access to all things Google, including Gmail, Blogspot, and the Google search engine itself?

Re:

[clone53421]

You caught "knew" but missed "too" and "it's really fucking stupid to post your e-mail address in the clear".

In other words, whoosh.

Re:

[clone53421]

I know gmail has amazing spam filters, but even I wouldn't tempt fate like that.

Re:

[tanguyr]

I know gmail has amazing spam filters, but even I wouldn't tempt fate like that.

I've had slashdot display my email address in clear text in every comment i've made here for years now. I've never received any mail to tanguyr+slashdot@gmail.com (gmail lets you add a "+whatever" to your email), and i very rarely get a spam message in my inbox. These days, with so much email being spam, i don't think that being coy about your email address is really a valid strategy anymore. You've got to give it out to use it, and who knows what the heck the people you give it out to are doing with it?

Re:

[Teun]

Which tells me there is an unusual number of Latino users among the 10K.

Re:

[clone53421]

Baloney. Everyone knows the most commonly used password is "password1".

Re:

[jonbryce]

You should use something like P@55W0rd. Then nobody will guess it.

Re:

[am 2k]

D) They only had the hash values and used a dictionary attack on them. That's kinda the point why those passwords are weak after all.

Re:

[El_Oscuro]

That only works if the hash isn't salted. I hope Microsoft isn't dumb enough to use unsalted hashes. If you use the userid or even better, some non-public part of the account as the salt, it is impossible. Of course, if use you a password like "password" or the combination to some idiots luggage like "12345", then one really doesn't need the hash, now do they?

Re:

[4D6963]

Huh??? I thought that was collected by phishing? Yeah, sorry for getting in the way of your ritual MS bashing, but it's something that can affect any service since it's essentially social engineering. Kind of.

Re:

[clone53421]

As AC said, Einstein's name isn't English. It's German, and in German you can have either IE or EI, but either one always sounds like the long vowel sound of the 2nd letter. Thus "Einstein" has a long I sound for both EI sounds (whereas in "Sie", you have the long E sound).

Fake URLs, DNS spoofing shouldn't matter

[wsanders]

The point to get across is that no (reputable) service or agency will ever, ever send you an email asking you to fill in and email back ANYTHING anymore.

If I were to ever get a legitimate email from my bank or credit card asking for personal information, I would call them as ask them WTF they were doing.

My estimate is that your average stupid phishing victim is just as likely to reply with their personal information regardless of whether the email is obviously fake.

Re:

[Talennor]

My bank, utility providers, and lots more send me emails with information related to my account in them. They pretend to be more secure by not specifically mentioning the account or asking for my password.

However, they usually provide a link to their website in the email! On the other end of that link they DO ask for your password. I never click that link no matter how legitimate it looks. You should use your own bookmarks to type the URL to their homepage yourself.

Re:

[the_womble]

My wife once got an email from the bank about a credit card fraud, with a number to phone them on.

I told her to phone the number we had and ask to be transfered to the fraud department.

Re:

[clone53421]

However, the scary thing is what happens if these people figure a way to "scoop" or "fraud" (whatever) the URL displayed on bottom of my browser window and in the address bar?

Only if your e-mail reader enables Javascript in HTML e-mails... and if so, GET A DIFFERENT ONE.