SouthTrust Bank- 'Notification From Southtrust Online Banking'
22-Feb-2005

Summary

Email title: Notification From Southtrust Online Banking Scam target: SouthTrust Bank clients Sender: Southtrust Bank <service@southstrustsonlinebanking.com> Sender spoofed/hidden? Spoofed Scam goal: Getting victim's credit/debit card information Phish link method URL link Link 'masked'? No Visible link: http://www.southstrustonlinebank.com/index.html?=verify Actual link to: http://www.southstrustonlinebank.com/index.html?=verify Phish website IP: 219.153.9.16

Overview

This is an example of a simple, yet effective and dangerous phishing scam. It revolves around the tricky domain name, used by the scammers.

E-mail

The email looks rather plain:

The sender is spoofed, but the link is not 'hidden'. It is obvious that the scammers rely on the near similarity between the domain names.

Web Site

Visible link: http://www.southstrustonlinebank.com/index.html?=verify Actual link to: http://www.southstrustonlinebank.com/index.html?=verify Phish website IP: 219.153.9.16

The website replicates the legitimate page, as if an unsuccessfull login was attempted. The tricky URL and the lack of a https indication are the main phishing clues, having in mind the strog resemblance of the scam URL with the legitimate one:

The website even links to the Verisign entry for the legitimate site, southtrust.com. The Verisign window will po-up above the taskbar of the original window, which will obscure the scam URL. Still, the discrepancy can be seen if the two are compared:

After the immitated login, a second page is displayed. All the concerns mentioned remain valid:

The site will accept any data, as long as the fields are filled with enough of the right type of charac

WHOIS data (for IP 219.153.9.16): Website Status: Active Server Type: Apache/2.0.40 (Red Hat Linux) IP Location: - Chinanet Chongqing Province Network ICANN Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE Created: 21-feb-2005 Expires: 21-feb-2006 Status: ACTIVE