register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

KeyBank - 'Keybank Internet Banking Account Suspension Notice!'
07-Jan-2005

Summary
Email title: 'Keybank Internet Banking Account Suspension Notice!'
Scam target: KeyBank customers
Sender:

clientdepartment@keybank.com
Sender spoofed/hidden? Spoofed
Phish 'punch line' : 'We recently noticed one or more attempts to log in to your KeyBank account from a foreign IP address and we have reasons to believe that your account was hijacked by a third party without your authorization. If you recently accessed your account while traveling, the unusual log in attempts may have initiated by you. However if you are the rightful holder of the account, click on the link below and submit, as we try to verify your account.'
Scam goal: Getting victim's keybank.com account information, credit card information, SSN, email address
Phish link method URL link
Visible link: https://accounts2.keybank.com/ib2/Controller?requester=signon
Link 'masked'? Yes
Actual link to http://key.accountaxservices.com/ib2/SecureReauthController1.php
Phish website IP:

68.142.234.35
 
E-mail
 

This phish is a very well designed one, and has the chance of fooling a lot of people.

The email uses a variety of techniques and tactics - it tries to scare the potential victim, cites some information that sounds convincingly, the sender of the message is spoofed and the link is masked. The Keybank logo adds to the convincing look, too.
 
 
Web Site
Visible link: https://accounts2.keybank.com/ib2/Controller?requester=signon
Link 'masked'? Yes
Actual link to http://key.accountaxservices.com/ib2/SecureReauthController1.php
Phish website IP:

68.142.234.35
 

The phish site is well designed, too, but it has some obvious clues of phishing.

First, the URL of the site. It is made to look legitimate, but this is so only on the first glance:

 
 

Also, the http in front of the URL does not indicate a secure session (it should be https).

On the second screen, after 'logging in', the phish demands your personal information. The URL remains the same here:
 
 
The phish site will only check whether the required number of sy,bols is entered in each field - no further checking will take place. Afterwards, a logout page is displayed:
 
 
The phish site itself is hosted on a server in the UK:
 
WHOIS information (for IP 68.142.234.35):

Domain Name.......... accountaxservices.com
Creation Date........ 2004-12-29
Registration Date.... 2004-12-29
Expiry Date.......... 2005-12-29
Organisation Name.... Cheng Lu
Organisation Address. 154A Arthur Road
Organisation Address.
Organisation Address. London
Organisation Address. SW198AQ
Organisation Address. N/A
Organisation Address. UNITED KINGDOM