Anti-Phishing Working Group: Citizens Bank- 'Citizens Bank Instant 5 USD reward survey'

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

Citizens Bank- 'Citizens Bank Instant 5 USD reward survey'
25-Apr-2005

Summary

Email title:	'Citizens Bank Instant 5 USD reward survey'
Scam target:	Citizens Bank customers
Sender:	Personal Banking <personalbanking@citizensbank.com>
Sender spoofed/hidden?	Spoofed
Scam goal:	Getting victim's Citizens Bank debit card information
Phish link method:	URL link
Link 'masked'?	Yes
Visible link:	http://www.citizensbankonline.com/logon/securesurvey.asp
Actual link to:	http://211.250.204.133/docs/zens/Citizens%20Bank%20Online%20-%20$%205,00%20Giveaway%20Survey.htm
Resolved URL:	http://211.250.204.133/docs/zens/citizens-Survey.htm
Phish site IP:	211.250.204.133


Analysis contributed by:	Tumbleweed Communications - Message Protection Lab

Overview

A phish posing as a consumer survey.

E-mail

The email comes with various attributes of the legitimate bank:

With the survey described, it seems very harmless, and it has a great chance of luring many to the phish site.

Web Site

Visible link:	http://www.citizensbankonline.com/logon/securesurvey.asp
Actual link to:	http://211.250.204.133/docs/zens/Citizens%20Bank%20Online%20-%20$%205,00%20Giveaway%20Survey.htm
Resolved URL:	http://211.250.204.133/docs/zens/citizens-Survey.htm
Phish site IP:	211.250.204.133

The phish site indeed looks like a simple ligitimate survey, except the demand for a debit card number:

The debit card information is demanded with the explanation that 'this is where we will credit your $5 reward'. But the real bank would send you a special page, linked to your account (they already know who you are), and not demand this information via an unsecured session. Which brings us to the next phishing clue - the URL in the address bar:

While it is likely that a bank would contract the survey to an external organization, it is unlikely that it will use just an unnamed IP to conduct the survey.

After getting the demanded information 'a bogus card number will do - it will not be checked', a final page is displayed:

The site is located in a school network in Korea:

WHOIS data (for IP 198.170.241.25) :

IP Location: Korea, Republic Of - Kyonggi-do - Seoul - Sunchon Sungnam Middle School

inetnum: 211.232.0.0 - 211.255.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: 20000908
changed: 20010627
status: ALLOCATED PORTABLE
source: APNIC

person: Host Master
address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
address: Seoul, Korea, 137-857
country: KR
phone: +82-2-2186-4500
fax-no: +82-2-2186-4496
nic-hdl: HM127-AP
mnt-by: MNT-KRNIC-AP
changed: 20020507
source: APNIC

inetnum: 211.250.204.128 - 211.250.204.159
netname: PUBNET-PUBNET2000001320-KR
descr: SUNCHON SUNGNAM MIDDLE SCHOOL
descr: 896 IEUBRI SONGKWANGMYUN SUNCHEONSI
descr: CHONNAM
descr: 540-930
country: KR
admin-c: IM46908-KR
tech-c: TM9228-KR
remarks: This IP address space has been allocated to KRNIC.
remarks: For more information, using KRNIC Whois Database
remarks: whois -h whois.nic.or.kr
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: 20050424
source: KRNIC

person: IP MANAGER
descr: SUNCHON SUNGNAM MIDDLE SCHOOL
descr: 896 IEUBRI SONGKWANGMYUN SUNCHEONSI
descr: CHONNAM
descr: 540-930
country: KR
phone: +82-61-754-3937
e-mail:
nic-hdl: IM46908-KR
mnt-by: MNT-KRNIC-AP
changed: 20050424
source: KRNIC

person: TECH MANAGER
descr: SUNCHON SUNGNAM MIDDLE SCHOOL
descr: 896 IEUBRI SONGKWANGMYUN SUNCHEONSI
descr: CHONNAM
descr: 540-930
country: KR
phone: +82-61-754-3937
e-mail:
nic-hdl: TM9228-KR
mnt-by: MNT-KRNIC-AP
changed: 20050424
source: KRNIC