register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Washington Mutual Bank- 'Notification of Washington Mutual Internet Banking Account'
27-Oct-2004

Summary
Email title: 'Washington Mutual Bank : Notification of Washington Mutual Internet Banking Account'
Scam target: Washington Mutual Bank customers
Email format: HTML email
Sender:

Support@wamu.com

Sender spoofed? Yes
Scam call to action: 'We recently reviewed your account, and suspect that your Washington Mutual Internet Banking account may have been accessed by an unauthorized third party... restore your account access, please take the following steps to ensure that your account has not been compromised... To get started, please click the link below...'
Scam goal: Getting victim's credit card information, contact information (name, address, phone number, etc.) , wamu.com username/pass.
Call to action format:

URL link
Visible link: 'https://login.personal.wamu.com/logon/logon.asp?dd=1'
Called link :

'http://81.152.200.21/WaMu/'
Phish website IP: 81.152.200.21
 
E-mail
 
This phish message could be quite convincing. Notice the spoofed sender and the nicely looking link:
 
 
The policy described is not as wildly extravagant and scary as some other phish scams employ, so more people are likely to click the link.
 
Web Site
Visible link: 'https://login.personal.wamu.com/logon/logon.asp?dd=1'
Called link :

'http://81.152.200.21/WaMu/'
Phish website IP: 81.152.200.21
 

The phish site is even more deceptive. It uses the very dangerous 'address bar overwriteing' technique (Java program that draws a teht window with the legitimate URL above the real address bar).

The real URL of the site is visible in the 'properties' page:
 
 
The hiding of the URL in the address bar is so dangerous, because the URL itself is the most visible clue of phishing. But it is not the only one. Notice the lack of browser indication of visiting a secured site (even though the 'address bar' has na URL starting with 'https' in it). This is evident in the second phish page, too:
 
 
The phish site will check the validity of the credit card number using publicly available algorhytms. It will not accept a random bogus number, which could persuade the potential victim in the site's authenticity. Another smart move is the redirecting to the legitimate security policy page of wamu.com after the information is 'phished' :
 
 
Phish server WHOIS information:
WHOIS data (for IP 81.152.200.21)

NetRange: 81.0.0.0 - 81.255.255.255
CIDR: 81.0.0.0/8
NetName: 81-RIPE
NetHandle: NET-81-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Updated: 2004-03-16