Anti-Phishing Working Group: Marshall & Ilsley Bank- 'Security Update!'

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

Marshall & Ilsley Bank- 'Security Update!'
27-Apr-2005

Summary

Email title:	'Security Update!'
Scam target:	Marshall & Ilsley Bank customers
Sender:	service@mibank.com
Sender spoofed/hidden?	Spoofed
Scam goal:	Getting victim'sMarshall & Ilsley Bank debit card information, SSN, name, email address
Phish link method:	URL link
Link 'masked'?	Yes
Visible link:	https://login.personal.marshall&ilsley.com/logon/logon.asp?dd=1
Actual link to:	http://www.marata.com.br/site/flash/cib.ibanking-services.com/cih/index.php
Phish site:	'hijacked'


Analysis contributed by:	Tumbleweed Communications - Message Protection Lab

Overview

A phish using a 'hijacked' legal site as a host.

E-mail

The email is quite scary, but not threatening:

The absence of a legit header and footer is suspicious, but both the sender and the URL link are spoofed so the email could be convincing.

Web Site

Visible link:	https://login.personal.marshall&ilsley.com/logon/logon.asp?dd=1
Actual link to:	http://www.marata.com.br/site/flash/cib.ibanking-services.com/cih/index.php
Phish site:	'hijacked'

The interesting thing about the phishing site is that it is hosted on the domain of a legitimate enterprise in Brazil. The address bar is not tampered with, and this can be seen. Otherwise, it is a pretty plain two-stage (a pseudo-login screen, followed by information request page) phish:

The presumption is that the scammers have obtained remote access to this server by using some kind of malware.

The second page demands the bulk of the information:

The ATM number will be superficially checked (with a publicly available formula), but no further checks are made. If the site approves the number, it will redirect to the legitimate bank page, saving the phished information locally.