| |
|
|
| |
12-Jan-2005
| Summary |
| Email title: |
Important Online Banking Alert |
| Scam target: |
Citizens Bank clients |
| Sender: |
Citizens Bank <support@citizensbank.com> |
| Sender spoofed/hidden? |
Spoofed |
| Phish 'punch line' : |
'your account information needs to be confirmed due to inactive customers, fraud and spoof reports.
If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the online service.
However, failure to confirm your records may result in your account suspension.' |
| Scam goal: |
Getting victim's Citizens Bank website username/password |
| Phish link method |
a 'Click here' type link |
| Link 'masked'? |
Yes |
| Actual link to |
http://219.137.205.143/CitizensBank/OnlineBanking/index.html |
| Phish website IP: |
212.85.153.6 |
|
| |
| E-mail |
| |
This phish is one of the most frequently reported ones the last couple of days.
The email is surely well crafted: |
| |
 |
| |
| The sender os spoofed too, adding to the convincing look. |
| |
| Web Site |
| Link 'masked'? |
Yes |
| Actual link to |
http://219.137.205.143/CitizensBank/OnlineBanking/index.html |
| Phish website IP: |
212.85.153.6 |
|
| |
| Once the web site opens, a Java program loads, that overwrites the contents of the address bar with a window containing a legitimate URL. Still, the real URL can be seen in the properties page (File/Properties). Another weakness is the unsecured session, which contradicts to the 'https' in the forged address bar: |
| |
 |
| |
| After eventually getting the login information, an interesting twist occurs: |
| |
 |
| |
| This is in fact a fake error screen, designed to make the victim think that some kind of error has occured. It is a nice attempt in covering the phish scam's tracks, as if nothing extraordinary has happened. |
| |
| WHOIS information (for IP 212.85.153.6): |
IP Location: China - Chinanet Guangdong Province
inetnum: 219.128.0.0 - 219.137.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: IC83-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-GD
status: ALLOCATED NON-PORTABLE
changed: 20020424
changed: 20041207
source: APNIC
person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-58501144
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: 20021016
source: APNIC |
|
| |
|
| |
|
