register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

U.S. Bank - 'Customer Service'
21-Dec-2004

Summary
Email title: 'Update or verify your account informations'
Scam target: VISA credit card owners
Sender:

customer-service@mail.hotmail.com
Sender spoofed/hidden? Hidden
Phish 'punch line' : 'Recently there have been a large number of identity theft attempts targeting US Bank Customers.
In order to safeguard your account, we require that you confirm your banking details.'
Scam goal: Getting victim's bank account and credit card information
Phish link method URL link
Visible link: https://www.usbank.com/internetBanking/RequestRouter?requestCmdId=upt
Link 'masked'? Yes
Actual link to http://210.104.211.21/.ft./.1./
Phish website IP:

210.104.211.21
 
E-mail
 

The tricky bit about this scam is the hiding of the sender. The real sender of the message is not in the message's 'from' field. It contains only '"US Bank" <customer-service>', and not an e-mail address. And since e-mail clients retrieve sender name from the 'from' field, it is highly likely that the potential victim will remain unaware of the real sender.

This trick could be exposed by looking at the 'return path' header of the email message, where the true sender is listed.

The message is well designed and could be persuasive, too. The link is, of course, 'masked':

 
 
Web Site
Visible link: https://www.usbank.com/internetBanking/RequestRouter?requestCmdId=upt
Link 'masked'? Yes
Actual link to http://210.104.211.21/.ft./.1./
Phish website IP:

210.104.211.21
 
The phish site opens up with the expected login screen, but the URL in the address bar is phishy:
 
 

Furthermore, there is no browser indication of a secure session in place, despide the 'connection secured' graphic.

After 'logging in', the man phish page shows up:

 
 
The domain in the address bar remains the same. The site would not check for anything but whether the fields are non-empty. It will request you to 'complete your information' if some field is left blank. Otherwise, it will display a OK looking logout screen:
 
 

To summarize - the specific aspect of this attack is the hidden sender. The strongest phishing clue you get is the URL in the address bar.

The phish server is in registered in Corea:

 
WHOIS information (for IP 210.104.211.21):

Location: Korea, Republic Of - Ch'ungch'ong-namdo - Taejon - KRNIC

inetnum: 210.104.0.0 - 210.106.223.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: 19970829
changed: 20010606
status: ALLOCATED PORTABLE
source: APNIC