| |
Home
Phishing
Archive
Report
Phishing
Events
Resources
Membership
APWG
Worksite
Contact
Us
APWG Sponsors:
|
  |
Fleet - 'Online banking - protect yourself from internet fraud'
15-Jun-2004
| Summary |
| Email
title: |
Online banking - protect yourself from internet fraud |
| Scam
target: |
Fleet bank customers |
| Email
format: |
HTML email |
| Sender: |
servicebluefish@fleet.com |
| Sender
spoofed? |
Yes |
| Scam
call to action: |
'As part of our ongoing
commitment to protect your account and to reduce the instance of fraud on our website, we have introduced a new special
FraudAction Detection Program...We have already enrolled your account in this Program. Membership is free, however, in order to authenticate
your enrollment
please confirm your account details below...'
|
| Scam
goal: |
Getting victim's Fleet credit card number/ATM |
| Call
to action format: |
a 'Click here' type link |
| Visible link: |
'FraudAction Detection Program' in the email, 'http://fleethomelink.fleet.com' in the status bar when mouse cursor moves over the link. |
| Called link: |
http://fleethomelink.fleet.com%1@202.96.108.138/www/fl/verify.html |
| Phish site: |
202.96.108.138/www/fl/verify.html |
|
| |
| E-mail |
This email has a nice Fleet logo, quite nice sender, and a clever link. There is a script in the HTML code of the message, that hides the phishy URL from appearing in the status bar. The script replaces it with the URL of legitimate Fleet homepage.
_email.jpg) |
|
| Web
Site |
| Visible link: |
'FraudAction Detection Program' in the email, 'http://fleethomelink.fleet.com' in the status bar when mouse cursor moves over the link. |
| Called link: |
http://fleethomelink.fleet.com%1@202.96.108.138/www/fl/verify.html |
| Phish site: |
202.96.108.138/www/fl/verify.html |
|
The phish site is designed using the style and resources of Fleet bank's legitimate site. This page is well designed, and could easily trick the common user.
|
_site.jpg) |
The URL in the address bar is also to be noted :
|
_addrbar.jpg) |
If you haven't updated your browser - do so. Otherwise you will not see the part of the URL that is in the red square. And this could very much leave you to the scammer's mercy.
However, the phish does not check the validity of the information you enter. Eventually, after the 'OK' button is pushed, the following page opens:
|
_site2.jpg) |
This exit screen's function is to further 'throw some dust in your eyes', trying to make you unsuspicious.
WHOIS (hosting server) Data: |
inetnum: 202.96.108.0 - 202.96.108.255
netname: CHINANET-ZJ-JH
descr: CHINANET-ZJ Jinhua node network
descr: Zhejiang Telecom
country: CN
admin-c: CZ4-AP
tech-c: CJ54-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-CHINANET-ZJ
mnt-lower: MAINT-CN-CHINANET-ZJ-JH
changed: master@dcb.hz.zj.cn 20031205
source: APNIC
|
|