register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

NCUA- '*** WARNING: Security Issues ***'
04-July-2005

Summary
Email title: '*** WARNING: Security Issues ***'
Scam target: Credit Union customers
Sender:

service@ncua.gov
Sender spoofed/hidden? Spoofed
Scam goal: Getting victim's credit card information, ATM PIN number
Phish link method: URL link
Link 'masked'? Yes
Visible link: Click here to update your account
Actual link to: http://vds-364313.amen-pro.com/www.ncua.gov/update_card.htm
Phish site IP:

61.75.15.77
 
Analysis contributed by: APWG  
 
Overview
 
Using the NCUA to try and phish anyone with an account at *any* Federal Credit Union.
 
E-mail
 
The email is quite well designed.
 
 

The sender is well spoofed, and the link is hidden. The policy described is urging, but not threatening - it could be persuasive.

The scary thing is that this one meta-brand could be used to attack any of the 33 million credit union customers in the USA.
 
Web Site
Visible link: Click here to update your account
Actual link to: http://vds-364313.amen-pro.com/www.ncua.gov/update_card.htm
Phish site IP:

62.193.219.116 (Still online as of July 9, 2005)
 

When the phish site opens up, it looks almost exactly like the legitimate login page. However, a few important clues can be noticed:

  • The suspicious URL in the address bar - it is not hidden with any tech tricks;
  • The absence of a 'lock' icon in the status bar, indicating a secure, HTTPS session:
 
 
The phish site is hosted on a server registered in Paris:
 
WHOIS data (for IP 62.193.219.116) :

Registrant: AMEN 12 Rond-point Des Champs-elyssesPARIS 75008 FR

Domain Name: AMEN-PRO.COM

Administrative Contact: amen@amen.fr 12 Rond-point Des Champs-elysses PARIS 75008 FR 0892 55 66 77 fax: 01 40 87 76 89

Technical Contact: internic@amen.fr 12-14 rond point des Champs Elysees Paris France 75008 FR 33 892 55 66 77

Record expires on 03-Oct-2006.

Record created on 03-Oct-2001.

Database last updated on 9-Jul-2005 15: 14: 59 EDT.

Domain servers in listed order: PARIS.AMEN.FR NS2.AMEN.FR