National Bank phishing email with subject Tax Residency Verification - Mandatory Renewal of Form

For the record, this is a National Bank phishing email attempt that is recently going around, with subject "Tax Residency Verification — Mandatory Renewal of Form"

What to do?  

Report them, goto bottom of page. 

From : helpdesk@griolk.com Subject : Tax Residency Verification — Mandatory Renewal of Form

PHISHING LINKs;

1. https://nbdb-entryt.com/?token=xxxxxxxxxxxxxxxxxx

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over images and all links in email, if it's not from the company's website then forget it. 

How to examine Email Message Source?

Now let's look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from the domain.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take further 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Windows - How to check svchost.exe outgoing connections to external DNS servers other than my local DNS

How to check svchost.exe connecting to remote addresses effectively. 

I use a tool from Nirsoft that makes this easy using LiveTcpUdpWatch - View TCP/UDP network activity of every application on Windows (nirsoft.net)

Process ID	Process Name	Protocol	Local Port	Local Address	Remote Port	Remote Port Name	Remote Address	Received Bytes	Sent Bytes	Received Packets	Sent Packets	Receive Speed	Send Speed	Connect Time	Disconnect Time	Accept Time	Connections Count	Disconnect Count	Process Path	ASN	Remote IP Country	Organization	Remote IP	Remote Host Name
1672	svchost.exe	UDP IPv6	5355	ff02::1:3	49911		fe80::d4a5:1562:817:1350	48		2									C:\Windows\System32\svchost.exe				fe80::d4a5:1562:817:1350

Let's now to examine the remote address fe80::d4a5:1562:817:1350, we right-click on the line and choose



You have to get IPNetInfo: Retrieve IP Address Information from WHOIS servers (nirsoft.net) and install it in same directory, say something like C:\Program Files (x86)\Nirsoft

With the following window below, text extracted and we see it connect to IANA for DNS Server.

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#


NetRange:       FE80:: - FEBF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           FE80::/10
NetName:        IANA-LINK-LOCAL-UNICAST
NetHandle:      NET6-FE80-1
Parent:          ()
NetType:        IANA Special Use
OriginAS:       
Organization:   Internet Assigned Numbers Authority (IANA)
RegDate:        2022-02-26
Updated:        2024-05-24
Comment:        Link-Local Unicast [RFC4291]
Ref:            https://rdap.arin.net/registry/ip/FE80::



OrgName:        Internet Assigned Numbers Authority
OrgId:          IANA
Address:        12025 Waterfront Drive
Address:        Suite 300
City:           Los Angeles
StateProv:      CA
PostalCode:     90292
Country:        US
RegDate:        
Updated:        2024-05-24
Ref:            https://rdap.arin.net/registry/entity/IANA


OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   ICANN
OrgAbusePhone:  +1-310-301-5820 
OrgAbuseEmail:  abuse@iana.org
OrgAbuseRef:    https://rdap.arin.net/registry/entity/IANA-IP-ARIN

OrgTechHandle: IANA-IP-ARIN
OrgTechName:   ICANN
OrgTechPhone:  +1-310-301-5820 
OrgTechEmail:  abuse@iana.org
OrgTechRef:    https://rdap.arin.net/registry/entity/IANA-IP-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#

AI Content

What is fe80::d4a5:1562:817:1350?

• This is a link-local IPv6 address, part of the fe80::/64 range.

• Link-local addresses are automatically assigned to network interfaces for communication within the same local network segment.

• They are not routable on the internet and are used for internal purposes like device discovery and service resolution.

Why is svchost.exe connecting to it?

• svchost.exe hosts many Windows services. In this case, it's likely handling:

  • LLMNR (Link-Local Multicast Name Resolution): Resolves names without DNS.

  • NDP (Neighbor Discovery Protocol): Detects other devices and configures network settings.

  • mDNS or SSDP: Service discovery protocols used by apps and devices.

These protocols use UDP over IPv6 to communicate with nearby devices using link-local addresses like fe80::d4a5:1562:817:1350.

🔐 Is this safe?

• Yes, this is normal behavior in IPv6-enabled networks.

• It’s part of how Windows discovers and interacts with other devices (printers, routers, etc.).

• If you're concerned about privacy or traffic:

  • You can disable unused IPv6 features or the IP Helper service.

  • Use tools like Wireshark or Process Explorer to monitor activity.

IANA server ? 

The connection to fe80::/64 by svchost.exe on Windows 7 is not to an IANA server—it’s a local link-local IPv6 address used for internal network communication.

Here's a breakdown of what’s happening and why:

What is fe80::/64?

• fe80::/64 is a reserved IPv6 address range for link-local communication.

• These addresses are automatically assigned to network interfaces and are only valid within the local network segment.

• They cannot be routed across the internet and are not associated with IANA servers or any external organization.

Why is svchost.exe connecting to it?

• svchost.exe is a generic host process that runs Windows services.

• In this case, it's likely hosting the IP Helper service (iphlpsvc), which supports IPv6 features like:

  • LLMNR (Link-Local Multicast Name Resolution) for name resolution without DNS

  • Neighbor Discovery Protocol (NDP) for detecting other devices on the local network

  • Multicast DNS (mDNS) or other service discovery protocols

These services use UDP over IPv6 to communicate with other devices on the same local network using link-local addresses like fe80::d4a5:1562:817:1350.

How to uninstall if installer is not there and checking for malware

There's a better way to uninstall programs that do not have an installer, and I recommend using Nirsoft's UninstallView. 

UninstallView - View installed applications on Windows 11 / 10 / 8 / 7 / Vista and optionally uninstall them (nirsoft.net)

UninstallView is a tool for Windows that collects information about all programs installed on your system and displays the details of the installed programs in one table, so you can interrogate the columns. 

Sorting my Publisher column to reveal empty publisher is a good way to check for malware.

Available Columns to sort by

Field	Description
Display Name	The official display name of the software (Stored in the Registry)
Registry Name	The name of the Registry key (under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall)
Display Version	The official display version of the software (Stored in the Registry)
Registry Time	The date/time that the Registry key of the software was modified
Install Date	The official install date of the software, stored in the Registry by the installer
Installed For	Indicates whether the software was installed for a specific user or all users
Install Location	The path of the folder where the software is installed
Install Folder Created Time	The creation date/time of the installation folder
Install Folder Modified Time	The modified date/time of the installation folder
Publisher	The creator of the software
Uninstall String	Full command to uninstall the software
Quiet Uninstall String	Full command to quietly uninstall the software
Change Install String	Full command to change the installation of the software
Comments	Comment about the software, stored in the uninstall Registry key
About URL	URL to the publisher's or application's home page
Update Info URL	URL used to update information on the application
Help Link	Internet address for technical support
Install Source	The folder that contained the installer files
Installer Name	Name of the installer used (e.g., Windows Installer, Inno Setup)
Release Type	Displays the release type of the software (e.g., Security Update)
Display Icon Path	Full path of the icon file
MSI Filename	Specifies the MSI filename (Windows Installer only)
Estimated Size	Estimated size of the software (from the Registry)
Attributes	Attributes stored in the uninstall Registry key (e.g., System Component)
Language	Language of the software (e.g., en-US)
Parent Key Name	Registry name of the parent uninstall item
Registry Key	Full path of the uninstall Registry key

Download UninstallView - View installed applications on Windows 11 / 10 / 8 / 7 / Vista and optionally uninstall them (nirsoft.net)

This will explore the below registry key for you.

For really technical removal you can explore the registry key path in the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

Improvement from my last post using free tool from Microsoft, but limited.

Metadata Consulting [dot] ca - Blog: How to remove problem, stuck or hidden software window using a free Microsoft tool