| |
|
|
| |
'
29-Jun-2004
| Summary |
| Email subject: |
'Your account at Wells Fargo has been suspended' |
| Scam target: |
Wells Fargo customers |
| Email format: |
HTML email |
| Sender: |
services@wellsfargo.com |
| Sender spoofed? |
Yes |
| Scam call to action: |
'We regret to inform you, that we had to block your Wells Fargo account because we have been notified that your account may have been compromised by outside parties. We have noticed some activity related to your account that indicates that other parties may have access and or control of your information in your account.... In order that you may access your account we must verify your identity by clicking on the link below...Please be aware that until we can verify your identity...' |
| Scam goal: |
Getting victim's wellsfargo.com username/password; credit card information, bank account information, personal information (name, address, phone number, e-mail, etc.) |
| Call to action format: |
URL Link |
| Visible link: |
https://online.wellsfargo.com/?LOB=CONS |
| Phish URL (encoded, as it appears in the message) : |
http://online.wellsfargo.com@%32%31%38.%35%31.%31%35%32.%31%36%39:%37%33
%30%31/%77%65%6C%6C%73.%68%74%6D |
| Phish URL (decoded) |
http://online.wellsfargo.com@218.51.152.169:7301/wells.htm |
| Phish site |
218.51.152.169:7301 |
|
| |
| E-mail |
| |
This phish message bears a lot of similarities to the one reviewed yesterday - an attack against eBay. Both use partially HEX encoded URLs, and both phish sites are contacted on port 7301, which could imply that these attacks' perpetrators are somehow connected, if not the same person(s). The appearance of two such attacks, against different targets, and in a short time, suggests that such waves will continue in the future. The phishers will most likely change sites and targets, but the approach will remain the same, until people stop catching. Then they will move on to another tactic.
On the message itself - it is, as the one reviewed yesterday, well designed. It does not feature any logos or graphic material, however, and the attitude towards the victim is quite tougher. Still, the spoofed sender looks nice and having in mind the encoded URL (you can see it in the yellow area), this is a dangerous phish - especially for the internet users with old browser versions. |
| |
email.jpg) |
| |
| Web Site |
| Visible link: |
https://online.wellsfargo.com/?LOB=CONS |
| Phish URL (encoded, as it appears in the message) : |
http://online.wellsfargo.com@%32%31%38.%35%31.%31%35%32.%31%36%39:%37%33
%30%31/%77%65%6C%6C%73.%68%74%6D |
| Phish URL (decoded) |
http://online.wellsfargo.com@218.51.152.169:7301/wells.htm |
| Phish site |
218.51.152.169:7301 |
|
| |
| The first page is, again, a login page. It is a complete replica of the original page, and the only chance you have denouncing it is the URL. And the URL will only differ from the legitimate one if your browser is recently updated (look at yesterday's analysis here for examples with different borwsers). |
| |
site.jpg) |
| |
Notice that the phish checks neither the validity of the data you enter (email address, for example), nor their legitimacy with the real wellsfargo.com. This is the most obvious weakness of this phish.
When the 'Continue' button is clicked upon, the next phish page opens: |
| |
site2.jpg) |
| |
Note that the phish does not require excessive amounts of information, that could make the victim suspicious. At this point, there can be another clue of a scam taking place. There is no indication whatever of being in a SSL secured page. And a legitimate institution would not allow transfer of personal information over an insecure line. And again, the information checked is not validated at all.
When the form is submitted, the phish shows a 'confirmation' page... |
| |
site3.jpg) |
| |
| ... and redirects to the legitimate wellsfargo.com: |
| |
site4.jpg) |
| |
| To conclude : This is a phish that is especially dangerous for users with old browser versions. It is supposed to diversify and proliferate in the coming days and weeks. Stay alert. |
| |
| WHOIS data: |
IP : 218.51.152.169
Org Name : Hanaro Telecom Inc.
Service Name : HANANET
Org Address : Shindongah Bldg., 43 Taepyeongno2-Ga Jung-Gu
ISP IP Admin Contact Information:
Name : IP Administrator
Phone : +82-2-106-2
Fax : +82-2-6266-6483
E-Mail : ip-adm@hanaro.com |
|
|
| |
|
