| |
|
|
| |
04-Aug-2004
| Summary |
| Email subject: |
'Confirm your account information' |
| Scam target: |
US Bank customers |
| Distribution medium: |
a HTML email (click here for the HTML code of the message itself) |
| Sender: |
services@customercenter.net |
| Sender type (spoofed, social engineered, webmail) |
Social engineered |
| Scam call to action: |
'your account information needs to be
updated due to frauds and spoof reports... we have
noticed
some activity related to your account that indicates that other parties
may
have access and or control of your information...you are limited to five failed login attempts in a 24-hour period. You
have exceeded
this number of attempts...Please follow the link below and renew your account information...' |
| Scam goal: |
Getting victim's usbank.com username/password, credit/debit card number, PIN, exp. date, CCV |
| Call to action format: |
URL link |
| Visible link: |
https://www4.usbank.com/internetBanking/RequestRouter?requestCmdId=DisplayOnlineBanking |
| Called link: |
http://www.motopilot.it/InternetBanking/RequestRouter/?requestCmdId=DisplayLoginPage |
| Phish site on: |
http://www.motopilot.it/ |
|
| |
| E-mail |
| |
| This is a quite dangerous phish, despite the message being quite suspicious. The tone is quite frantic and scare-mongering, and it does not seem to come from usbank.com directly. The link, however, looks convincing: |
| |
_email.jpg) |
| |
| Web Site |
| Visible link: |
https://www4.usbank.com/internetBanking/RequestRouter?requestCmdId=DisplayOnlineBanking |
| Called link: |
http://www.motopilot.it/InternetBanking/RequestRouter/?requestCmdId=DisplayLoginPage |
| Phish site on: |
http://www.motopilot.it/ |
|
| |
| The site is much more dangerous. It uses one of the best looking address bar forgeries untill now. It uses Java script to place a window upon the address bar, and obscure it. It it only recognizable by a small 'dent' on the overwriting window's end: |
| |
_site1.jpg) |
| |
The absence of a lock symbol should also be a hint, that you are not in a secure HTTPS page, as the phish claims.
After 'logging in', the real URL appears for a while, but the attention of the victim is drawn by a pop-up: |
| |
_popup.jpg) |
| |
| Then, the second phish page shows up - it uses the address bar forgery, too. This phish chooses not to demand a lot of information from you, which makes it less suspicious at this phase: |
| |
_site2.jpg) |
| |
| It shoud be noted that the phish does check whether the right number of digits is entered in every field. If not, the following page is displayed : |
| |
_verif.jpg) |
| |
But the validity of the data itself is not checked, of course. Any combinations of digits will be accepted by the phish.
When it is satisfied, a couple of logout screens appear - to create the illusion that some processing has taken place: |
| |
_logout1.jpg) |
| |
| And then: |
| |
_logout2.jpg) |
| |
| As you see, this is a quite elaborate and dangerous scheme, and since it is wide spreaded, a high level of awareness is necessary to escape the phishing trap, especially for novice users. |
| |
| WHOIS data: |
domain: motopilot.it;
org: Leonardo Computer Multimedia System
descr: Leonardo Computer Multimedia System
admin-c: LC114-ITNIC
tech-c: SC279-ITNIC
postmaster: SC279-ITNIC
zone-c: SC279-ITNIC
nserver: 62.149.128.2 dns.technorail.com
nserver: 62.149.132.2 dns2.technorail.com
dom-net: 62.0.0.0
mnt-by: TECHNORAIL-MNT
changed: webmaster@technet.it 20010718
source: IT-NIC
person: Lorenzo Carroccia
address: Via Pellegrini snc
address: 04010 Sonnino
phone: +39 077 3907026
fax-no: +39 077 3907026
e-mail: info@leosys.biz
nic-hdl: LC114-ITNIC
changed: webmaster@technet.it 20020726
source: IT-NIC
person: Stefano Cecconi
address: Technorail s.r.l. Piazza Garibaldi 8
address: 52010 soci (AR)
phone: +39 0575 51571
fax-no: +39 0575 562849
e-mail: webmaster@technet.it
nic-hdl: SC279-ITNIC
notify: webmaster@technet.it
mnt-by: TECHNORAIL-MNT
changed: webmaster@technet.it 20040220
source: IT-NIC |
|
| |
| |
|
| |
|
