Anti-Phishing Working Group: Sovereign Bank - 'Sovereign Bank Unauthorized Account Access'

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

Sovereign Bank - 'Sovereign Bank Unauthorized Account Access'
02-Nov-2004

Summary

Email title:	'Sovereign Bank Unauthorized Account Access'
Scam target:	Sovereign Bank customers
Email format:	HTML email
Sender:	Staff@sovereignbank.com
Sender spoofed?	Yes
Scam call to action:	'We recently reviewed your account, and suspect that your Sovereign Internet Banking account may have been accessed by an unauthorized third party...as a preventative measure, we have temporarily limited access to sensitive account features...check your account profile...To get started, please click the link below...'
Scam goal:	Getting victim's name and credit card information, sovereignbank.com username/password
Call to action format:	URL link
Visible link:	https://www.site-secure.com/cgi-bin/cgig2.exe/sovbank/SID/GetLogon
Called link :	http://68.118.88.166/sovbank
Phish website hosted on :	68.118.88.166. At least one more different phish (against Washington Mutual Bank) is hosted on the same IP.

E-mail

This time the phishers have targetted a new bank - Sovereign Bank. It is obvious that this phish is a part of a wave of such attacks - the proof lies in the phish IP. There is at least one more attack hosted on the same IP.

Compared to the phish samples analyzed the last few days, this one is less cunning. Obviously, the phishers think they can catch Sovereign Bank's customers unprepared, since this is one of the first attacks directed at this bank.

The phish message comes with no bank logos or legit header/footer. But the sender is spoofed, and the URL link is 'masked'. This alone could be enough to mislead the unprepared. The phishers have avoided typing 'sovereignbank.com' in the phish URL in an attempt to avoid spam filters:

Web Site

Visible link:	https://www.site-secure.com/cgi-bin/cgig2.exe/sovbank/SID/GetLogon
Called link :	http://68.118.88.166/sovbank
Phish website hosted on :	68.118.88.166. At least one more different phish (against Washington Mutual Bank) is hosted on the same IP.

The phish site does not use the now common among phishers 'address bar overwrite' technique. As a result, a strong clue of phishing stays visible - the URL in the address bar:

Also, the phish will accept any username you type in (quite logically - it can not check whether something entered is a real username).

Next, the main phish page comes up:

As you can see, the phishy URL is visible here, too. Furthermore, there is no browser indication of secure session (the padlock in the right part of the status bar), and the URL does not start with 'https'. Transferring sensitive customers' information via an unsecured http session is not something a legitimate institution would do.

One more note - the phish site will actually check whether the CC number enter is 'valid'. This means that it will run the number against a publibly available mathematical routine, by which the CC numbers are created. This check is enough to reject a random bogus number (like 123123123123). Rejecting a bogus number could persuade the potential victim into the wrong conclusion that the site has credibility. In fact, the simple check does not require any specific CC or bank insider information and is completely routine.

After eventually phishing the requested information, the phish site redirects to the legitimate sovereignbank.com page on privacy policies. This is designed to be a 'track covering' move. Notice the difference in the URLs, now that the legitimate one is opened:

Phish server WHOIS information:

WHOIS data (for IP 68.118.88.166)

Charter Communications CHARTER-NET-6BLK (NET-68-112-0-0-1)
68.112.0.0 - 68.119.255.255
Charter Communications MRSTN-TN-68-118-80 (NET-68-118-80-0-1)
68.118.80.0 - 68.118.95.255

So, the phish IP resolves to morristown-68-118-88-166.chartertn.net, Chartern.net appears to be a MSN affiliate. The IP is obviously hijacked.