This message could be quite convincing, although it carries no US Bank logo. The subject is messed up at the end (a typical spam technique), but the link seems OK, and it is familiar to the US Bank customers. The sender also looks nice. Given this, the unaware user could easily be tricked into clicking the link.

Once the link is clicked, the phish comes into motion. The site that opens uses US Bank's own website style/fonts/pictures (they are even loaded from the official site itself), and looks flawless.

To cover the most obvious sign of phishing - the URL that does not match the original, a special trick is used. The phish draws a window above the victim's Internet Explorer address bar (note that this technique is browser specific), using a Java applet.

This is a close-up of the faked address bar:

Note that this 'replacement' of the address bar is not perfect. This gives a chance to reckognize the phish, before it is too late. Noticing this, however, requires a level of attention to detail, that is not common among the ordinary internet users.

After the victim clicks 'next' on the first page, the second phish page loads. It is here that the phish demands the personal information from the victim.

Note : although the address bar is covered, the status bar remains correct. When clicking 'next' on the first page, one could notice the 'loading http://validation-required.info/...' message in the status bar.

This is the second phish attack that uses this technique. Besides being a very dangerous phish, it comes with even greater danger - it exploits security holes, allowing the phisher to execute code on the victim's machine. This could be used to install other malware (trojans, keyloggers, etc.).

[ ISP IP Admin Contact Information ]
Name : Hyo-Sun, Chang
Phone : +82-2-2105-6082
Fax : +82-2-2105-6100
E-Mail : ip@epnetworks.co.kr