Anti-Phishing Working Group: Keybank- 'SECURE YOUR ACCOUNT NOW'

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

Keybank - 'SECURE YOUR ACCOUNT NOW'
08-Feb-2005

Summary

Email title:	'SECURE YOUR ACCOUNT NOW'
Scam target:	Keybank customers
Sender:	KEYBANK ACCOUNT <safety@keybank.com>
Sender spoofed/hidden?	Spoofed
Phish 'punch line' :	'Enter the information requested to activate your card in order to complete your transaction. It only takes a moment, and then your card will have password protection whenever you shop online.'
Scam goal:	Getting victim's credit/debit card information,
Phish link method	Image link
Link 'masked'?	Yes
Visible link:	'Apply now' image
Actual link to:	http://www.securesmartpassword.com/ssl/smart_key/smart_key_login.htm
Redirects to :	https://s.p3.hostingprod.com/@www.securesmartpassword.com/ssl/smart_key/smart_key_login.htm
Phish website hosted on:	s.p3.hostingprod.com (a Yahoo domain)

E-mail

This is a very well designed scam. In addition to forging the address bar of your browser, it also uses a HTTPS session and a security certificate, so it has quite a serious chance in causing serious harm.

The email it propagates through is visually convincing:

In addition, it uses all the standard phish tricks - the spoofed sender and the 'hidden' link, for example.

Web Site

Visible link:	'Apply now' image
Actual link to:	http://www.securesmartpassword.com/ssl/smart_key/smart_key_login.htm
Redirects to :	https://s.p3.hostingprod.com/@www.securesmartpassword.com/ssl/smart_key/smart_key_login.htm
Phish website hosted on:	s.p3.hostingprod.com (a Yahoo domain)

When the image link is clicked, the link takes to 'http://www.securesmartpassword.com/ssl/smart_key/smart_key_login.htm', which then redirects to the real phish site. The scammers have obtained access to a Yahoo domain (hostingprod.com) and placed their site there. This way, they can use the security certificate issued to this domain to establish a 'https' secure session. Add an address bar forgery, and the scam starts looking dangerously real:

The context menu of the page is disabled by some Java code - right clicking on the page will not have any effect. Still, the 'properties' page can be accessed via the main menu (file/properties). This is where the real URL of the page can be seen:

And a double click on the lock icon will bring up details on the security certificate:

Here, it is visible that the certificate owner is not 'keybank.com'.

Nevertheless, these clues are not plainly visible.

After the login screen, the main phishing page opens:

The status bar is also disabled (showing only a 'Keybank - Personal online banking' line), thus making the links' destinations not plainly visible. All the other concerns and clues from the previous screen apply here, too.

The site will accept any information, as soon as the card number entered has a 51-55 prefix (identifying a Mastercard CC number) which passes a basic verification formula - i.e. random bogus numers will not be accepted.

We have generated a number that passes this initial verification and gave it to the website (this is by no means a real CC number):

After this, the site leaves you with the only option of closing the browser window. This unloads the address bar forgery, too.

The WHOIS information of the initially linked domain could provide information on the scammer's identity:

WHOIS data (for IP 68.142.234.35):

Website Status: Active
Reverse IP: Web server hosts 193034 websites
Server Type: Apache/2.0.51 (Fedora) (Spry.com also uses Apache)
IP Address: 68.142.234.35 (ARIN & RIPE IP search)
IP Location: - California - Foster City - Inktomi Corporation
Blacklist Status: Clear
Record Type: Domain Name
Name Server: YNS1.YAHOO.COM
ICANN Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Created: 2005-01-20
Expires: 2006-01-20
Status: ACTIVE
Domain Name.......... securesmartpassword.com
Creation Date........ 2005-01-21
Registration Date.... 2005-01-21
Expiry Date.......... 2006-01-21
Organisation Name.... Nancy Leeds
Organisation Address. 2 red fox lane
Organisation Address. Glen Head
Organisation Address. 11545
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Nancy Leeds
Admin Address........ 2 red fox lane
Admin Address........
Admin Address........ Glen Head
Admin Address........ 11545
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Phone.......... +1.5166763014
Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com