Anti-Phishing Working Group: Sovereign Bank - 'Sovereign Bank Unauthorized Account Access'

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

Paypal - 'Your Account Will Be Suspended'
09-Nov-2004

Summary

Email title:	'Your Account Will Be Suspended'
Scam target:	Paypal customers
Email format:	HTML email
Sender:	aw-confirm@paypal.com
Sender spoofed?	Yes
Scam call to action:	'We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address and we have reasons to believe that your account was hijacked by a third party without your authorization...if you are the rightful holder of the account, click on the link below to log into your account... '
Scam goal:	Getting victim's name and credit card information, paypal.com username/password
Call to action format:	URL link
Visible link:	https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
Called link :	http://212.45.13.185/.paypal/index.php
Phish website hosted on :	212.45.13.185

E-mail

This is one of the particularly dangerous phish scams out there. It is well crafted on all sides and has quite a chance with a lot of potential victims.

First, the e-mail:

As you see, it instills confidence, since it is so well designed. The sender is spoofed, and the URL link is 'masked'. This is usually enough to trick more of the inexperienced users into clicking the link.

Web Site

Visible link:	https://www.paypal.com/cgi-bin/webscr?cmd=_login-run
Called link :	http://212.45.13.185/.paypal/index.php
Phish website hosted on :	212.45.13.185

The phish site is well done, too. And, on a first glance, it is unrecognizably similar to the legitimate site:

But there is one difference. Every time a secure HTTPS session is active, IE indicates it by displaying a padlock icon on the place the arrow points to (on the screenshot). And having 'https' in the address bar, but not having the padlock is important inconsistency.

It uses an address bar forgery - quite common phish tactic. Basically, the URL you see in the address bar is not the real URL of the page. This trick can be exposed by opening the properties page:

On the screenshot above, you can see the inconsistency. On this page, the phishers try to get personal contact information. But the fact that they have made a convincing scam has emboldened them enough to put a second phish page:

Also, splitting the phishy requests like this makes the scam more convincing.

The site does not check the data entered in any way - whatever bogus information you enter will be accepted.

And, in the end, another smart trick: after eventually phishing the information, the site redirects to the paypal.com login page, and submits the phished username and password. This way, if a valid account name had been phished, a normal paypal.com login would proceed, and the victim would remain clueless on what had happened. In our case, we had entered random bogus username and password, and the login was rejected:

This combination of phish techniques makes this scam a very dangerous one. It is crucial that the clues mentioned be payed attention to.

Phish server WHOIS information:

WHOIS data (for IP 212.45.13.185, ripe.net WHOIS database)

inetnum: 212.45.13.0 - 212.45.13.255
netname: COMCOR-ATELECOM
descr: "Atelecom" Ltd
descr: Internet Service Provider, Telecommunication Services,
descr: CTI, IP telephony, Web design Agency, Travel Agency.
descr: Leningradsky prospect, Moscow, Russia
country: RU
admin-c: DIM12-RIPE
tech-c: PS301-RIPE
tech-c: VGF2-RIPE
tech-c: VAT6-RIPE
tech-c: DIM12-RIPE
status: ASSIGNED PA
notify: mdi@atelecom.ru
notify: abuse@atelecom.ru
mnt-by: AS8732-MNT
changed: pas@comcor.ru 20001026
source: RIPE