| Summary |
| Email
title: |
Online banking issue |
| Scam
target: |
Bank One clients |
| Email
format: |
HTML email |
| Sender: |
spoof@bankone.com |
| Sender
spoofed? |
Yes |
| Scam
call to action: |
'Due to concerns, for the safety and integrity of the online
banking community we have issued this warning message...It has come to our attention that your account information
needs to be updated due to frauds and spoof reports...However, failure to update your records will result in account
deletation...Please follow the link below
and renew your account information.
'
|
| Scam
goal: |
Getting victim's credit card number, expiration date and CVV; ATM PIN |
| Call
to action format: |
URL link |
| Visible link: |
https://www.bankone.com/bank/BolLogin.aspx
|
| Called link: |
http://afterburner.vosn.net/~gvk/cgi-bin/.bankone/ |
| Phish sites: |
http://afterburner.vosn.net/~gvk/cgi-bin/.bankone/
http://www.gvkbio.com/~gvk/cgi-bin/.bankone/
http://www.malmotek.com/~gvk/cgi-bin/.bankone/ |
|
| |
| E-mail |
| This message uses a tested and proven phish method, while cunnigly covering its tracks. It comes from a spoofed (legitimately looking) sender, has a Bank One logo, and gently, but firmly persuades you to click on the link. The URL itself looks OK. Yet, the HTML message allows the phisher to use a script to override the display of the actual URL in the status bar. The script places the legitimate URL there, instead of the phishing URL. This way the phishing URL remains hidden for anyone that does not open the HTML source code, and the odds are that most of the people won't. |
| |
_email.jpg) |
| |
| Web
Site |
| Visible link: |
https://www.bankone.com/bank/BolLogin.aspx
|
| Called link: |
http://afterburner.vosn.net/~gvk/cgi-bin/.bankone/ |
| Phish sites: |
http://afterburner.vosn.net/~gvk/cgi-bin/.bankone/
http://www.gvkbio.com/~gvk/cgi-bin/.bankone/
http://www.malmotek.com/~gvk/cgi-bin/.bankone/ |
|
| |
| The site is an exact replica of the Bank One homepage, with the exception of the login area. |
| |
_site.jpg) |
| |
Note that even when the page says 'your update is secured', you don't recieve indications of being in a secure site by your browser.
And even more obvious sign of phishing is the URL in your address bar: |
| |
_adrbar.jpg) |
| |
| And this is where things start becoming really weird.
Vosn.net is a mail list site. Such sites are always on the fringe of spaming, since they launch mass-mail campaigns, often with a spammy smell. That's why the vosn.net homepage is so defensive - they should be getting quite a lot spam complaints. But what is afterburner.vosn.net? I went a little back in the path of the URL, and I saw this: |
| |
_afterburner%20redirect%20to%20malmotek.jpg) |
| |
| Notice the line in the bottom - it says this is the server of malmotek.com. Well, this is strange. I looked up for Malmotek in Google and it turned out that this is a real flesh-and-blood company. So i went deeper in the path of the URL. And was I surprised when I saw this: |
| |
_gvk%20mirror.jpg) |
| |
| This site turned out to be a mirror of the site of another legitimate company, GVK Biosciences (gvkbio.com). Why would the phisher do this? And then I went to afterburner.vosn.net. This is what I saw: |
| |
_malmotek%20mirror.jpg) |
| |
| What do you know! A mirror of the malmotek.com site. At this point, this becomes interesting. Having in mind the occurance of malmotek before, I tried a little experiment. Check this out: |
| |
_gvk%20mirror%20at%20malmotek.jpg) |
| |
| Isn't this strange? A mirror of gvkbio.com on malmotek.com. And I didn't see anything implying some connection between these companies. And to take the experiment further, I pasted the path to the phish page after the legitimate domains malmotek.com and gvkbio.com. And take a look what came up (pay attention to the URLs): |
| |
_site-malmotek.jpg) |
| |
| and this: |
| |
_site-gvk.jpg) |
| |
| Both these sites host the phish! This should definitely be investigated further. Please check back, there will be an update soon. |
