| Summary |
| Email title: |
"Internet banking issue" |
| Scam target: |
US Bank customers |
| Email format: |
HTML e-mail |
| Sender: |
service@usbank.com
|
| Sender spoofed? |
Yes |
| Scam call to action: |
"your account information needs
to be updated due to inactive members, frauds and spoof reports" |
| Scam goal: |
Getting victim's credit card (number/expiration
date/CVV2) and ATM PIN |
| Call to action format: |
HTML form on a website |
| Visible link: |
https://www4.usbank.com/internetBanking/RequestRouter?requestCmdId=Displ
ayLoginPage |
| Called link : |
http://www.adn.org.mx/..%20/cgi/
|
| Resolved site: |
http://www.usbank.com�@www.adn.org.mx/..%20/cgi/bin/ |
| URL in Internet Explorer: |
http://www.usbank.com |
|
| |
| E-mail |
This is a particularly dangerous phish case. First off,
the e-mail you get is definitely made to look as unsuspicious
as possible:
- The sender looks legitimate (service@usbank.com);
- The e-mail carries a US Bank logo;
- It does not demand from you personal information
in an e-mail - it offers you to log in;
- The link listed is the legitimate US Bank personal
banking login URL (it is actually spoofed, but you
can't see that when you open the message).
- It does not treat you aggresively - there is no mentioning
of an "immediate" need to comply.
The only thing that could raise your suspicion is the
strange policy itself.
|
_email.jpg) |
| |
| Web Site |
| Visible link: |
https://www4.usbank.com/internetBanking/RequestRouter?requestCmdId=Displ
ayLoginPage |
| Called link : |
http://www.adn.org.mx/..%20/cgi/
|
| Resolved site: |
http://www.usbank.com�@www.adn.org.mx/..%20/cgi/bin/ |
| URL in Internet Explorer: |
http://www.usbank.com |
|
The site uses a flaw in MS Internet explorer to make
the page look as it is on usbank.com. The phisher has copied
all the resources (fonts, pictures) and styles of the legitimate
page, and used them to create a very convincing and a very
dangerous deception. Very little could tell you that this
is not the official page:
- Note that the bottom of the page says "Connection
secured", while you have no indication of visiting
a secure site from your browser. Also, the URL in the
address bar also does not start with "https",
but with "http";
- The URL says jus "www.usbank.com" - which
is the domain name, but not a real URL (there is no
filename or pointer at the end of it)
Once again - the policy itself is suspicious.
|
| |
|
_site1.jpg)
|
| |
| After getting your informarion, the phish site redirectis
you to the legitimate US Bank login page: |
| |
/04-05-04_US_Bank_(Internet_banking_issue)_site2.jpg) |
| |
WHOIS Data
(easy to fake):
|
Registrant Name:Eastwind
Group
Registrant Street1:100 Central Park South, Suite 9E
Registrant City:New YorkDomain ID:D70260790-LROR
Domain Name:ADN.ORG
Created On:03-May-2001 10:35:07 UTC
Last Updated On:24-Jul-2003 20:26:02 UTC
Expiration Date:03-May-2004 10:35:07 UTC
|
|
| |
