SpamBITS

I’ve been on a vacation for few weeks. When I come back I found my mailboxes full of thousands of spam messages. Yes, I have spam filter and it works… for most of them . I have 4 times more in the my junk folder. Yes, it is incredible amount of spam mails.

An interesting spam mail that comes this morning was about the MERRILL LYNCH BUSINESS CENTERk customers, as the title might already suggest. Again it is a typical and obvious spam.
Firs, you might notice the title - there is one little “k” in the end of the word CENTER. It is is the first thing that should rise our spam alarm. The email was sent from:
“Board of Directors of Merrill Lynch”
I suppose Board of Directors will not write on behalf of the securityteam@ml.com, aren’t they.
Firs, lets see the full spam message:

Merrill Lynch Enhanced Security Authentication
We have enhanced the Merrill Lynch Business Center security access to further safeguard access to your account information. Click on the hyperlink below and follow the prompts to answer and record answers to five personalized security questions. We may, in the future, ask you for answers to these questions when you log into the Business Center to ensure that only you are accessing your account information.
By clicking the link below and/or by using the Merrill Lynch Business Center website (”site”), you:

Login by clicking here:
https://wcma.businesscenter.ml.com/

I. Represent and warrant that you are authorized to accept the Merrill Lynch Business Center Terms & Conditions and use the site on behalf of yourself and your employer and in doing so you are acting within the scope of your duties and
II. Accept the Merrill Lynch Business Center Terms & Conditions on behalf of yourself, agree to be bound by them.

Just that. No signatures or something saying at least “Thank you for time”.
The spammer used the deluding technique with the long url, so you might not notice that it is fraud.
If we go over the link we will see that the link points to:
http://wcma.businesscenter.BCPrivate.asp92954375.WCMALoginEA.aspx.ucx43.us/WCMALogin.htm
if we split the URL we will find out that the main domain is: ucx43.us
The domain is hosted in Kyonggi-do - Seoul - Krnic and is bought from REGISTER.COM
Following the domain (ucx43.us) we will see that it leads to comcast.net
At the moment of writing the fraud page page has been removed and the URL point to a parking page.
I will not go further on this spam. There are a lot of spam of this kind and I only depict the important things that you have to pay attention.

It is a classic way of a spam aiming to steal private information. Always be suspicious on this kind of emails. Do not trust blindly, but check the details.