register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

US Bank - 'notice: Us Bank'
25-Aug-2004

Summary
Email subject: 'notice: Us Bank', could have 'URGENT' added.
Scam target: US Bank clients
Distribution medium: a HTML email (click here for the HTML code of the message itself)
Sender:

'USBank <USBank@usbank.com>'
Sender type (spoofed, social engineered, webmail, hijacked) Spoofed
Scam call to action: '...we've added this important new feature concerning access to your accounts online...login immediately to your account...'
Scam goal: Getting victim's debit card number, PIN and expiration date
Call to action format: URL link
Visible link:

http://www.usbank.com./internetBanking./RequestRouter?requestCmdId=DisplayLoginPage
Called link: http://www.usbank-secure.biz/
Phish site on: http://www.usbank-secure.biz/
 
E-mail
 
This phish message is being spreaded like a wildfire. The scam, though not a very sophisticated, is cunning enough to fool the wide circles of the public:
 
 
The HTML code of the message puts a legitimately looking link in the status bar every time the mouse cursor hovers above the link. In fact, the link itself does NOT lead to a legitimate URL.
 
Web Site
Visible link:

http://www.usbank.com./internetBanking./RequestRouter?requestCmdId=DisplayLoginPage
Called link: http://www.usbank-secure.biz/
Phish site on: http://www.usbank-secure.biz/
 
This phish site also uses the now very popular among phishers address bar spoofing technique. The address bar is 'overwritten' by a window, in which a legitimately looking link is displayed. In this case, the forgery is not a very good one:
 
 
You can see the 'h' in the begining of the original address bar's URL showing.
 
The site itself could be quite suspicious - demanding credit card information to 'login':
 
 
It will even check the credit card number you enter. It can not verify its validity, but it can check whether it is in a legitimately used number range. When it isn't (like when you've entered some random bogus number) it will show this:
 
 
The phish domain is registred in Brazil:
 
WHOIS data:

Domain Name: USBANK-SECURE.BIZ
Domain ID: D7530751-BIZ
Sponsoring Registrar: GO DADDY SOFTWARE, INC.
Domain Status: ok
Registrant ID: GODA-07675458
Registrant Name: Leni Neto
Registrant Organization: BR IT Consulting
Registrant Address1: Av Cons Nebias, 340 Cj 64
Registrant City: Santos
Registrant State/Province: Sao Paulo
Registrant Postal Code: 11015-002
Registrant Country: Brazil
Registrant Country Code: BR