register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Suntrust - 'Security Measures !'
07-Oct-2004

Summary
Email title: 'Security Measures !'
Scam target: Suntrust customers
Email format: HTML e-mail
Sender:

service@suntrust.com
Sender spoofed? Yes
Scam call to action: 'We recently reviewed your account, and suspect that your Suntrust account may have been accessed by an unauthorized third party...Therefore, as a preventative measure, we have temporarily limited access to sensitive Suntrust account features. Click the link below in order to regain access to your account...'
Scam goal: Getting victim's suntrust.com username/password, credit card information
Call to action format: URL link
Visible link: https://internetbanking.suntrust.com
Called link :

http://www.suntrust-onlinebanking.global-update2.com/
Phish website hosted on : 66.226.64.15
 
E-mail
 
This is a classic phish. The e-mail you get looks like it's coming from the legitimate suntrust.com site (the sender is spoofed), It bears the logo of the legitimate institution and asks you to go to a website to avoid trouble with, in this case, 'your Suntrust account':
 
 
The URL link does also look convincing, and the true URL it leads to can only be revealed by looking at the HTML code of the message - something far too few potential victims will do - or by following it.
 
Web Site
Visible link: https://internetbanking.suntrust.com
Called link :

http://www.suntrust-onlinebanking.global-update2.com/
Phish website hosted on : 66.226.64.15
 
The phish website does replicate the legitimate Suntrust site's look - bu using the same pictures, fonts and basic layout. The main phishing clue should be the URL in the address bar:
 
 

This URL DOES NOT point to a location in the legitimate suntrust.com site. But, to a lot of people, it would seem OK. So if you are not certain about it, you better open a new browser window and type in the legitimate site's address manually.

After eventually 'signing in', the phish site demands credit card information:

 
 

The URL remains the same here. The information demanded is not an excessive amount, so the eventual victim could have less time to think about what is really happening.

After this information is 'phished', a logout screen is displayed:

 
 
All the links from here lead to the legitimate site - this way the phisher tries to cover up his tracks in your mind, so you will not be left with a bad taste about what happened. The quicker the victim realizes the scam, the faster the site will be brought down, and the fewer the scammed will be.
 
Phish server DNS/WHOIS information:
DNS & WHOIS data (for IP 66.226.64.15):

Domain Name: GLOBAL-UPDATE2.COM

Domain IP : 66.226.64.15

Registrar: ABACUS AMERICA, INC. DBA NAMES4EVER
Registrant: Eric King (2JY74) spoliynka@yahoo.com
NA
NA, NA 00000
United States
Phone: (816)3804228 x

Whois Server: whois.names4ever.com
Referral URL: http://www.names4ever.com
Name Server: NS2.ABAC.COM
Name Server: NS1.ABAC.COM
Status: ACTIVE
Updated Date: 05-oct-2004
Creation Date: 05-oct-2004
Expiration Date: 05-oct-2005

NetRange: 66.226.64.0 - 66.226.95.255
CIDR: 66.226.64.0/19
NetName: ABAC2002A
NetHandle: NET-66-226-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation