Anti-Phishing Working Group: e-Bullion- 'e-Bullion accounts investigations'

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

e-Bullion- 'e-Bullion accounts investigations'
01-Mar-2005

Summary

Email title:	'e-Bullion accounts investigations'
Scam target:	e-Bullion members
Sender:	security@e-bullion.com
Sender spoofed/hidden?	Spoofed
Scam goal:	Getting victim's e-Bullion username/password
Phish link method	a 'Click here' type link
Link 'masked'?	Yes
Visible link:	'click here'
Actual link to:	http://e-bullion.safeedible.net/
Phish website hosted on:	safeedible.net

Overview

A very elegant and dangerous 'man in the middle' scam.

E-mail

The email you get is well designed, mildly scary and overally convincing:

Again, as usually, the link is 'masked' and the sender is spoofed, so it looks as the message comes from the legitimate domain.

Another interesting point is the mention of 'SAFEedible' at the bottom - which creates a sense of affiliation with the site later opened.

Web Site

Visible link:	'click here'
Actual link to:	http://e-bullion.safeedible.net/
Phish website hosted on:	safeedible.net

The site looks almost exactly like the original one. The difference is that it offers a 'login' on the main page, while the legitimate takes you to a HTTPS protected page to log in. The URL is suspicious, but remember the sense of affiliation, created by the email:

The really tricky part is that the phish site acts as a 'man in the middle' beween the victim and the legitimate site. It will store the entered information and then it will pass it to the legitimate site's login URL. This way, if a correct information is entered, a normal login into the legitimate site will proceed, and the victim will not notice anything.

The scam site is hosted on a legitimate domain in China. Probably the scammers have obtained remote access to it, using some kind of malware. And there is always the possibility of an 'insider'.