register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Washington Mutual - 'Suspicious payment.Read now.'
15-Sep-2004

Summary
Email title: Suspicious payment.Read now.
Scam target: Washington Mutual members
Email format: HTML e-mail
Sender:

"Washington Mutual Bank" <fraud_department@washingtonmutual.com>
Sender spoofed? Yes
Scam call to action: 'Our department recorded a payment request from Expedia - Online Travel Agency ( EXPEDIA.COM ) to enable the charge of $1.119,49 on your account. This amount is supposed to cover the cost of a 5 days reservation ( 21-26 September / 2004 ) at a Five Stars Hotel located in New Delhi / INDIA, under the name of GARY EDWARDS...If you didn't make this payment / reservation and would like to decline the $1.119,49 billing to your card, please follow the link below to deny the payment...'
Scam goal: Getting victim's credit/debit card information, Washington Mutual username/password
Call to action format: URL link
Visible link: http://www.e-insites.com/support/testing2.php
Called link :

http://66.206.5.209/index.html
Phish website on: 66.206.5.209
 
E-mail
 
This scam combines phishing with a clasic con-style scam. It states that a huge payment is pending from your account. It is of course, strange to you, but you can deny it immediately. Hice hook :) Here is the message:
 
 
The sender is spoofed, and the link is masked so you can't see where it really points to.
 
Web Site
Visible link: http://www.e-insites.com/support/testing2.php
Called link :

http://66.206.5.209/index.html
Phish website on: 66.206.5.209
 
The phish site itself looks, of course, convincing:
 
 
A 'minor' detail, however, is the contents of the address bar:
 
 

This is obviously different from what the link said. It is the weakest spot in this scam.

After 'logging in', the next phish page opens. It looks believable, but the URL in the address bar starts with the IP numbers again. Otherwise it's fine:

 
 
Another weakness of the scam is the evident lack of HTTPS security. It's highly unlikely for a legitimate organisation to use unsecured site for transactions of sensitive information.
 
WHOIS data:

OrgName: Cyber World Internet Services
OrgID: CWIS
Address: 12402 N. Division St. #240
City: Spokane
StateProv: WA
PostalCode: 99218
Country: US

NetRange: 66.206.0.0 - 66.206.31.255
CIDR: 66.206.0.0/19
NetName: CYBERWORLD-INT
NetHandle: NET-66-206-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS0.NIC-REG-DNS.COM
NameServer: NS1.NIC-REG-DNS.COM
RegDate: 2001-12-04
Updated: 2002-03-08