register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

KeyBank - 'Technical services: Account Update Request'
29-Sep-2004

Summary
Email title: 'Technical services: Account Update Request'
Scam target: KeyBank customers
Email format: HTML e-mail
Sender:

KeyBank - Customer Care Department <keysupport.6381508.148055.0@ebusiness.keybank.com>
Sender spoofed? Yes
Scam call to action: 'Technical services of the bank are carrying a planned software upgrade... We earnestly ask you to visit the following link to start the procedure of confirmation of your personal data...'
Scam goal: Getting victim's keybank.com username/password, credit/debit card information
Call to action format: URL link
Visible link: image link
Called link :

http://www.parisharm.com/cgi-bin/
Phish website IP: 66.206.7.127
 
E-mail
 

KeyBank's customers are the new phish target. This is the first phish against them we get reported, but probably won't be the last one. It is not a sophisticated one, but it doesn't need it to be dangerous - this bank's customers are probably not as vigilant as the more targeted banks' customers.

Anyway, the message looks nice - with bank logo, spoofed sender and hidden link destination, even a 'legal' footer:

 
 
Web Site
Visible link: image link
Called link :

http://www.parisharm.com/cgi-bin/
Phish website IP: 66.206.7.127
 
The phish site preserves the color and font scheme of the message, whitch matches the legitimate site's one:
 
 
It surely looks nice, and it doesn't demand unreasonable amounts of information. But the URL in the address bar tells a different story:
 
 
This should always be paid high attention on. It is the one thing that is hardest to forge convincingly (though there are some very successfully deceptive techniques for doing it) .
 
After the information is harvested, the phish redirects to the legitimate keybank.com:
 
 
Phish server DNS/WHOIS information
DNS lookup:

Authoritative Server: ns0.nic-reg-dns.com
Responsible Person: hostmaster.cwiservices.com
Zone Serial Number: 200151901
Refresh Interval: 86400
Retry Interval: 3600
Expire Interval: 777600
Minimum Time to Live: 3600
parisharm.com NS ns0.nic-reg-dns.com
parisharm.com A 66.206.7.127
parisharm.com MX 10 mail.parisharm.com
parisharm.com NS ns1.nic-reg-dns.com
WHOIS data: OrgName: Cyber World Internet Services
OrgID: CWIS
Address: 12402 N. Division St. #240
City: Spokane
StateProv: WA
PostalCode: 99218
Country: US

NetRange: 66.206.0.0 - 66.206.31.255
CIDR: 66.206.0.0/19
NetName: CYBERWORLD-INT
NetHandle: NET-66-206-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS0.NIC-REG-DNS.COM
NameServer: NS1.NIC-REG-DNS.COM
RegDate: 2001-12-04
Updated: 2002-03-08