register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Suntrust - 'Security Alert on Microsoft Internet Explorer'
30-Nov-2004

Summary
Email title: 'Security Alert on Microsoft Internet Explorer'
Scam target: Suntrust customers
Email format: HTML email
Sender:

support@suntrust.com
Sender spoofed? Yes
Phish 'punch line' : 'SunTrust security systems require that you test your browser now to see if it meets the requirements for SunTrust Internet Banking.
Please sign on to Internet Banking in order to verify security update installation.'
Scam goal: Getting victim's Suntrust website username/password, credit card information
Phish link method a link in the HTML email
Visible link: 'Sign on'
Actual link to http://82.90.165.65/s/login.html
Phish website hosted on:

82.90.165.65
 
E-mail
 
This is a second phish using this kind of bait (the first one's review can be seen here). The message is persuasive and well crafted:
 
 
The sender is spoofed and the link's URL is hidden, which makes this message a dangerous phish.
 
Web Site
Visible link: 'Sign on'
Actual link to http://82.90.165.65/s/login.html
Phish website hosted on:

82.90.165.65
 
The phish site, apart from using a very convincing design, employs an adress bar forgery. It overwrites IE's address bar with a JAVA-program drawn window, in which the legitimate URL is displayed. This scam can be exposed by openin up the properties page:
 
 

You can clearly see the overwriting window 'overlapping' the open dialog, and the real URL in the properties page.

The next phish displayed is the one demanding CC information. As far as the URL and the address bar go, the situation is unchanged:
 
 

The phish site will not check the information entered - it will accept anything.

A standard-looking logout screen follows:

 
 

Soon after it, the browser gets redirected to the legitimate suntrust site.

As a recapitulation - having in mind the convincing phish message and the address bar spoof, this could be considered a dangerous phish. A sharp lookout for the details is necessary in order to avoid being phished.. Another flaw of the scam is that it does not replicate the legitimate site's security sertificate, and this shows in the broser window (the padlock icon in the status bar, marking a secure HTTPS session, is not present)

 
WHOIS data (for IP 82.90.165.65): inetnum: 82.88.0.0 - 82.91.255.255
org: ORG-TIWS1-RIPE
netname: IT-TIWS-20030506
descr: Telecom Italia Wireline Services
descr: PROVIDER
country: IT
admin-c: LV357-RIPE
tech-c: PP6677-RIPE
notify: paolo2.perfetti@telecomitalia.it
notify: vincenzo.scoppa@telecomitalia.it
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: TIWS-MNT
mnt-routes: TIWS-MNT
changed: hostmaster@ripe.net 20030507
changed: hostmaster@ripe.net 20031022
source: RIPE