Anti-Phishing Working Group: TCF Bank - 'TCF express checking card alert'

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

TCF Bank- 'TCF express checking card alert'
14-Jan-2005

Summary

Email title:	'TCF express checking card alert'
Scam target:	TCF Bank customers
Sender:	support-auto32@tcfexpress.com
Sender spoofed/hidden?	Spoofed
Phish 'punch line' :	'Please verify your account parity to given email'
Scam goal:	Getting victim's credit card information
Phish link method	URL link
Link 'masked'?	No
Visible link:	http://tcf-online.com/index.php?ZHWY=760984570583562...
Actual link to	http://tcf-online.com/index.php?ZHWY=760984570583562...
Phish website IP:	68.142.234.35

E-mail

This phish, along with some variations of it, is a large part of a large wave of scam messages, targeting TCF Bank customers. It is getting spreaded very massively, but it has got significant weak points.

The email that you get looks like this:

There is a nice TCF logo on it, and the sender is spoofed. The phish domain is well chosen and could decieve a lot of people. Yet, the language of the message is faulty and hasty, which is not an attribute of a regular bank correspondence.

Web Site

Visible link:	http://tcf-online.com/index.php?ZHWY=760984570583562...
Actual link to	http://tcf-online.com/index.php?ZHWY=760984570583562...
Phish website IP:	68.142.234.35

The phish site is well designed, but it lacks any login screen. It will directly ask for CC information:

As you see, the URL in the address bar remains untampered with. Yet, it is close enough to the original to slip by. The blacked out part is the victim's email address.

The site will check whether all fields have the required number and type of characters in them, but no further checks will be done. Next, the following bogus error page will be displayed:

Curiously, the site is hosted on the same IP as the one previously analysed (analysis can be found here):

WHOIS information (for IP 68.142.234.35):

IP Location: USA, California

Domain Name: FAST-EMAIL-ADDRESS.US
Domain ID: D7066774-US
Sponsoring Registrar: MELBOURNE IT D/B/A INTERNET NAMES WORLD WIDE
Domain Status: ok
Registrant ID: A110325394080776
Registrant Name: Sondra Wissel
Registrant Organization: Sondra Wissel
Registrant Address1: 2634 Fenwick Court
Registrant City: Ann Arbor
Registrant State/Province: MI
Registrant Postal Code: 48104
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2486680157
Registrant Application Purpose: P3
Registrant Nexus Category: C11
Administrative Contact ID: A110325394080773
Administrative Contact Name: Sondra Wissel
Administrative Contact Organization: Sondra Wissel
Administrative Contact Address1: 2634 Fenwick Court
Administrative Contact City: Ann Arbor
Administrative Contact State/Province: MI
Administrative Contact Postal Code: 48104
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.2486680157
Billing Contact ID: A110325394080775
Billing Contact Name: YahooDomains BillingContact
Billing Contact Organization: Yahoo! Inc
Billing Contact Address1: 701 First Ave.
Billing Contact City: Sunnyvale
Billing Contact State/Province: CA
Billing Contact Postal Code: 94089
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +1.6198813096
Billing Contact Facsimile Number: +1.6198813010
Technical Contact ID: A110325402841726
Technical Contact Name: YahooDomains TechContact
Technical Contact Organization: Yahoo! Inc
Technical Contact Address1: 701 First Ave.
Technical Contact City: Sunnyvale
Technical Contact State/Province: CA
Technical Contact Postal Code: 94089
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +1.6198813096
Technical Contact Facsimile Number: +1.6198813010
Technical Contact Email:
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Created by Registrar: MELBOURNE IT D/B/A INTERNET NAMES WORLD WIDE
Domain Registration Date: Fri Dec 17 03:28:03 GMT 2004
Domain Expiration Date: Fri Dec 16 23:59:59 GMT 2005