register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Ameritrade- 'Ameritrade Online Application'
22-Apr-2005

Summary
Email title: 'Ameritrade Online Application'
Scam target: Ameritrade customers
Sender:

Starting <starting@ameritrade.com>
Sender spoofed/hidden? Spoofed
Scam goal: Getting victim's ameritrade.com login information (username/password)
Phish link method URL link
Link 'masked'? No
Visible link: www.ameritrading.net
Actual link to: http://www.ameritrading.net/apps/LogIn/
Phish site IP :

198.170.241.25
 
Analysis contributed by: Tumbleweed Communications - Message Protection Lab
 
Overview
 
A single stage phish. Uses a domain name, similar to the legitimate one, instead of tech tricks.
 
E-mail
 
The email does not feature a lot of Ameritrade attributes, but given the spoofed sender and the mild tone, it could be convincing:
 
 
Web Site
Visible link: www.ameritrading.net
Actual link to: http://www.ameritrading.net/apps/LogIn/
Phish site IP :

198.170.241.25
 
The site is modelled exactly after the original:
 
 

The only differences are the domain name (which is very close, though), and the missing security certificate. The legit site's logon is on a HTTPS page, and this one is a HTTP unsecured page.
As soon as something is entered in the two fields, the browser would be redirected to the legitimate site. The phisher's goal is to get the login data only.

The site is hosted on a Verio.com(a hosting company) server:

 
WHOIS data (for IP 198.170.241.25) :

SSL Cert: mmp1903.dulles19-verio.com expires in 288 days

Website Status: Active

Server Type: Apache/1.3.31 (Unix) mod_perl/1.29 (Spry.com also uses Apache)

IP Location: - Colorado - Englewood - Verio Inc