Zyra's website //// Very //// Phishing Attacks //// Site Index Pink Very

email from Very?

No! It's a scam! Spam telling you to "Verify Your Account". Don't be silly!

If you receive an email which says it's from "Very" and is signed by the dubious job title of "Security Advisor", you've probably just received a phishing attack e-mail. Now the thing is, even though the message has convincing-looking pink logos and guff, it is not from Very! Besides the fact that Very don't send you silly messages asking for your security information, it's also most likely to have come in to the wrong email address. Surely you use a quite different address for each company?

Anyway, the message is largely an attempt by bogus people to acquire your personal info. If you are silly enough to be caught out by such a scam, and you give away your e-mail address, password, postcode, and date of birth, crooks can pretend to be you (see identity theft). As well as being able to log into your account at Very and order things which you have to pay for, they can also use the info to do various other unfortunate things.

Don't let them get away with it!

Anyway, here's the bogus Very message, and after it, some clues on how to crack this racket...

[broken image]

----- Original Message -----
From: Very.co.uk
To: Zyra
Sent: Tuesday, October 18, 2011 8:50 PM
Subject: ACCOUNT UPDATE !

Dear Customer,

Your Very.co.uk account information is incomplete. We recommend that you update your very account account for security reasons and to avoid limitation on your online shopping account.

Download and open the attachment in this mail and follow the direction to update your account.

Security Advisor
Very.co.uk

Attachment: "Update Very Account.html"

Stuff pretending to be from Very

A form expecting you to be daft enough to enter your personal details!

Various spam links sucking-up to Social Networking sites

Site Map | Returns | Track Order | Financial Services | Manage Your Account

Terms & Conditions | Security & Privacy | Corporate Info | Very Mobile Site

Credit Account | Shopping Insurance | Personal Loans | General Insurance

Click here to view our Brand Directory.

© Shop Direct Limited. 2011, All Rights Reserved. Shop Direct Home Shopping Limited. Registered number: 4663281.

Registered office: 1st Floor, Skyways House, Speke Road, Speke, Liverpool L70 1AB.

Such nonsense is usually more associated with banks. See Bank Hoax messages. But now it looks like the famous shopping catalogue is also victim to it.

"Dear Customer" indeed! That is immediately suspicious. Also, why ask for your e-mail address when they have sent to it!

Now here are some clues about what's going on: On looking through the source-code, the crooks have used various things remote-served from the actual site of Very! However, the exceptions are the http references which go to non Very.co.uk addresses. The first of these is the broken image at the top, which is http://www.bus-kaufen.de/header.png , and then there's another which is http://static.atgsvcs.com/js/atgsvcs.js , and also there's var tmBaseUrl = "https://pfa.levexis.com/very/tagman.cgi"; , and also http;//eu.hlserve.com/Delivery/ClientPaths/SDG/Delivery.aspx?rn=[random_digits], but the most suspicious line of all is the one that says <form action="http://www.feuerschutz-brunner.at/aberlos/rayodark.php" name="$loginForm" method="post" id="">

Now let's not go blaming www.bus-kaufen.de , or pfa.levexis.com , or www.feuerschutz-brunner.at as they are probably sites that have been hacked! The thing is, though, the stolen personal details are being sent to a php script which is Pink Very at www.feuerschutz-brunner.at/aberlos/rayodark.php , and from there to wherever the operation is being run.

Good Luck to Very in their attempts to crack this and in putting up proper warnings to inform customers!

There are many such scams, and various online problems. Here's a Rogues Gallery of stuff to look through!

Meanwhile, the real Very Catalogue can be accessed via this affiliate website!