register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Suntrust Bank- 'Internet Banking with Bill Pay Fees Waived'
16-Nov-2004

Summary
Email title: 'New Mail from People'
Scam target: Suntrust Bank customers
Email format: HTML email
Sender:

support@suntrust.com
Sender spoofed? Yes
Scam call to action: '..As an additional security measure, you need to activate this new feature by signing on to Internet Banking...'
Scam goal: Getting victim's credit/debit card information
Call to action format: a 'click here' type link
Visible link: 'signing on' link
Called link :

www.people-onlinebank.net
Phish website host IP: 196.40.75.39
 
E-mail
 
This attack was reported intensely through the last days. The message it propagates through is quite an interesting one:
 
 
As you can see, the phisher does not threat with account suspension or other horrors, but is 'baiting' the potential victim with an unexisting 'feature' and a waived fee. That's original. Also, the URL link
is 'masked'
 
Web Site
Visible link: 'signing on' link
Called link :

www.people-onlinebank.net
Phish website host IP: 196.40.75.39
 
The phish site is well designed, too. The wide spreaded IE address bar forgery is in work here, too. The site does not allow you to bring up the context menu of the page by right clicking. The properties page, however, can still be reached through the main menu of the browser window - file/properties. It is there that the real URL shows up:
 
 
After eventually 'logging in', the phish asks for your pesonal data. The crucial clue of phishing here is the lack of secure session indication by your browser - which does not fit with the 'https' in the address bar:
 
 

So far, the security certified HTTPS session has been the hardest for the phishers to duplicate - in fact, there has only been one of these so far. With this in mind, you should watch the secure session status carefully.

After eventually 'phishing' the information, the site displays a logout page:

 
 

which redirects to the real suntrust.com site in a matter of a few seconds.

The phish site itself is hosted on a server in San Jose, Costa Rica:

 
Phish server WHOIS information:
WHOIS data (for IP 196.40.75.39 - lacnic.com WHOIS server)

inetnum: 196.40.75.0/25
status: reassigned
owner: Amnet Television
ownerid: CR-AMTE2-LACNIC
address: De la POPS Sabana 350 m oeste, frente UACA
address: San Jose, San Jose 7968-1000
country: CR
owner-c: SP533-ARIN
created: 20020620
changed: 20020620
inetnum-up: 196.40.64/19
source: ARIN-LACNIC-TRANSITION

nic-hdl: SP533-ARIN
person: Sergio Patino
e-mail: spatino@ITS.CO.CR
address: IT Servicios de Infocomunicaciones
address: De la POPS Sabana 350 m oeste, frente UACA
address: San Jose, 7968-1000
country: CR
phone: (506) 210-9212
source: ARIN-LACNIC-TRANSITION