register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Huntington Bank- 'Huntington - Urgent Security Notification'
02-Feb-2005

Summary
Email title: 'Huntington - Urgent Security Notification'
Scam target: Huntington Bank customers
Sender:

accounts@keybank.com
Sender spoofed/hidden? Spoofed
Phish 'punch line' : ' Huntington security systems require that you test your browser now to see if meets the requirements to Huntington Online Banking. Pleas follow this link in order to verify security update installation.'
Scam goal: Getting victim's check/ATM card information, SSN, email address.
Phish link method URL link
Link 'masked'? Yes
Visible link: https://onlinebanking.huntington.com/security/login.jsp
Actual link to: http://203.109.100.33/.../onlinebanking.huntington.com/login.html
Phish website IP: 203.109.100.33
 
E-mail
 

This recent scam features some typical phish tactics in a combination that can be very dangerous.

The email looks quite convincing, with the exception of the spammy line at the end:

 
 
Otherwise, it is spotless - the sender is spoofed, the link is 'hidden', there are legit logos and footer present.
 
Web Site
Visible link: https://onlinebanking.huntington.com/security/login.jsp
Actual link to: http://203.109.100.33/.../onlinebanking.huntington.com/login.html
Phish website IP: 203.109.100.33
 
The site looks convincing, too. It employs a taskbar forgery, but does not use any security certificate, which is the main obvious weakness:
 
 
Some tampering is also done on the status bar. It looks like this all the time:
 
 
This way the links to suspicious URLs are masked, and not visible in the status bar. The context (right click) menu is also disabled, but the properties page can be accessed using the main menu. There, the true URL of the site becomes visible:
 
 
After the login page, the second one loads:
 
 

This is the page that the bulk of the information is requested. All the weaknessess mentioned before are present here, too.

After the information is entered, the site will redirect to a privacy policy page on the legitimate Huntington Bank page, and the address bar forgery will be removed:

 
 
The phishing server is located in India:
 
WHOIS data (for IP 203.109.100.33)

IP Location: India - Bg Broadband Networks India Pvt. Ltd

inetnum: 203.109.64.0 - 203.109.127.255
netname: BGBBNET
descr: BG Broadband Networks India Pvt. Ltd,
descr: Cable Internet Service Provider,
descr: Surat,
descr: India.
country: IN
admin-c: CE24-AP
tech-c: NI23-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-IN-BG
mnt-routes: MAINT-IN-BG
changed: 20040622
source: APNIC

route: 203.109.64.0/18
descr: BG Broadband India Pvt Ltd
country: IN
origin: AS18207
mnt-by: MAINT-IN-BG
changed: 20040706
source: APNIC

person: CHAKRAVARTHY EVS
address: BG Broadband India Pvt Ltd
address: IQARA Center, 2nd floor
address: Adajan-Hazira Road
address: Adajan, Surat - 395 009, Gujarat
address: India.
country: IN
phone: +91-261-2681000
fax-no: +91-261-2681001
e-mail:
nic-hdl: CE24-AP
mnt-by: MAINT-IN-BG
changed: 20020426
source: APNIC

person: NOC IQARA
address: 2nd and 3rd floor,
address: Iqara Center,
address: Adajan-Hazira Road,
address: Adajan,
address: Surat - 395009
country: IN
phone: +91-261-2681-000
fax-no: +91-261-2681-001
e-mail:
nic-hdl: NI23-AP
mnt-by: MAINT-IN-BG
changed: 20020426
source: APNIC