register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Regions Bank- 'Notification about your Regions online account'
21-Apr-2005

Summary
Email title: 'Notification about your Regions online account'
Scam target: Regions Bank customers
Sender:

Regions Bank <verification@regions.com>
Sender spoofed/hidden? Spoofed
Scam goal: Getting victim's regions.com login information (username/password) or SSN
Phish link method URL link
Link 'masked'? Yes
Visible link: https://secure.regionset.com/EBanking/logon/
Actual link to: http://www.profusenet.net/checksession.php
Resolved URL: http://www.profusenet.net/cmserver/ibsregions/users/default/RegionsBank/logon/EBanking/user.php
Phish site IP :

68.142.234.44
 
Analysis contributed by: Tumbleweed Communications - Message Protection Lab
 
Overview
 
An untypical, single stage phish. Well designed, uses an address bar spoof.
 
E-mail
 
The email is convincingly good-looking. The sender and the true destination of the link are not plainly visible, which adds to the effect:
 
 
Web Site
Visible link: https://secure.regionset.com/EBanking/logon/
Actual link to: http://www.profusenet.net/checksession.php
Resolved URL: http://www.profusenet.net/cmserver/ibsregions/users/default/RegionsBank/logon/EBanking/user.php
Phish site IP :

68.142.234.44
 
The phish site immediately loads up an address bar spoof:
 
 
The real URL is NOT what is displayed in the address bar (in fact, the addess bar itself has a text field window above it). The real URL can be seen on the properties page:
 
 

Another clue is the missing lock icon in the status bar, despite the 'address bar' showing 'https'.

The site would accept anything for a username/password, and it will always return an error page:
 
 

This is an effective way to get information before the victim's red light flashes.

The site is hosted on a Yahoo server:

 
WHOIS data (for IP 68.142.234.44) :

IP Address: 68.142.234.44 (ARIN & RIPE IP search)
IP Location: - California - Foster City - Inktomi Corporation
Blacklist Status: Clear - Last blocked 2005-04-05
Record Type: Domain Name
Name Server: YNS1.YAHOO.COM YNS2.YAHOO.COM
ICANN Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Created: 14-mar-2005
Expires: 14-mar-2006
Status: ACTIVE

Domain Name.......... profusenet.net
Creation Date........ 2005-03-15
Registration Date.... 2005-03-15
Expiry Date.......... 2006-03-15
Organisation Name.... Lisa Jennings
Organisation Address. 2 Cobblestone Court
Organisation Address. Glen Mills
Organisation Address. 19342
Organisation Address. PA
Organisation Address. UNITED STATES

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com