register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Wells Fargo - 'Notice Wells Fargo Internet Online Account record update'
19-Aug-2004

Summary
Email subject: 'Notice Wells Fargo Internet Online Account record update'
Scam target: Wells Fargo customers
Distribution medium: a HTML email (click here for the HTML code of the message itself)
Sender:

wellsfargo-Notice-Urgeci@wellsfargo.com
Sender type (spoofed, social engineered, webmail, hijacked) Spoofed
Scam call to action: 'During our regular update and verification of the Internet Banking Accounts, we could not verify your current information... Please update your information... To update your account information and start using our services please click on the link below...'
Scam goal: Getting victim's wells fargo website username/password; credit card information, email address.
Call to action format: URL link
Visible link:

http://www.wellsfargo.com/per/checking/
Called link: http://www.mortconf.info/vti/xi/index.html
Phish site on: mortconf.info
 
E-mail
 
This phish message tries hard to convince you of its authenticity. It does come from what seems a legitimate sender (it is spoofed) . It has a Wells Fargo logo, and the link looks nice too, along with a 'security key':
 
 
Web Site
Visible link:

http://www.wellsfargo.com/per/checking/
Called link: http://www.mortconf.info/vti/xi/index.html
Phish site on: mortconf.info
 
The site itself uses an address bar overwriting technique - it uses Java script to draw a window above the IE address bar:
 
 
The site, however, does not feature a login screen - it is just a single page asking for your personal information. This should be suspicious.

The site does check whether all the fields have something entered in them. It can not, of course, check the legitimacy of the data.

But the logout screen that appears does not feature the address bar 'overwriting' technique and the real URL can be seen:
 
 
The phish site is hosted on a server of what looks like a legitimate company. The server could have been trojaned.
 
WHOIS data:

Domain ID:D6118393-LRMS
Domain Name:MORTCONF.INFO
Created On:09-Aug-2004 07:44:13 UTC
Last Updated On:09-Aug-2004 08:00:37 UTC
Expiration Date:09-Aug-2006 07:44:13 UTC
Sponsoring Registrar:R161-LRMS
Status:ACTIVE
Status:OK

Name Server:NS2.BEST-GIFTS.BIZ
Name Server:NS3.MAIL18.BIZ