Anti-Phishing Working Group: eBay - "Security Notification"

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

US Bank - 'Notification of US Bank Internet Banking'
21-Jul-2004

Summary

Email subject:	'Notification of US Bank Internet Banking'
Scam target:	US Bank customers
Distribution medium:	HTML email (click here for the code of the message itself)
Sender:	service@usbank.com
Sender spoofed?	Yes
Scam call to action:	'...as a preventative measure, we have temporarily limited access to sensitive U.S. Bank account features...click the link below and follow steps for verification proces in order to regain access to your account...'
Scam goal:	Getting victim's usbank.com username/password; credit/debit card information
Call to action format:	URL link
Visible link:	https://www.usbank.com/internetBanking/RequestRouter?requestCmdId=DisplayLoginPage
Called link:	http://www.usbankdate.com/internetBanking/RequestRouter_requestCmdId_DisplayLoginPage/
Phish site on :	www.usbankdate.com

E-mail

This phish attack uses a large arsenal of phish tricks, and can be considered very dangerous. The email message is more persuasive than most other phish messages. It features the first name of the victim, which shows precise targeting:

Another trick is the way the link is presented. It is not a simple link, as it looks. It is actually a flat, white button. This gives the phisher the possibility to fake the status bar indication on where the link really points to:

Web Site

Visible link:	https://www.usbank.com/internetBanking/RequestRouter?requestCmdId=DisplayLoginPage
Called link:	http://www.usbankdate.com/internetBanking/RequestRouter_requestCmdId_DisplayLoginPage/
Phish site on :	www.usbankdate.com

The phish site is not a less dangerous one. It uses java script to 'overwrite' the address bar in IE (the phish checks your browser version and closes itself if the browser is not IE). The overwrite is not a perfect one - you can see the flaw on the screenshot. But, nonetheless, it is far from harmless:

After the 'login' screen, the second phish page opens. It uses the same address bar overwriting technique. What should be noted - the phish does not demand a lot of information, so it is easy to be taken lightly:

At the end, an absolutely reasonable confirmation page shows up:

To summarize - this phish uses a multitude of tricks (the harvested 1st name, the 'invisible' button, the address bar overwriting) and could easily trick a lot of the common internet users. A high level of awareness and attention to detail is required to avoid being scammed by such attacks.

WHOIS data:

Registrant:
Rhoda Sakowitz (SROW-118144)
boinxstop@yahoo.com
Jl. Sekolah Kencana I 33
Wayland MA
01778 CA
+15 083587038 fax: +15 083587039

Domain servers in listed order:
dns1.servidoresdns.net 217.76.128.128
dns2.servidoresdns.net 217.76.129.128

Created: 21 Jul 2004 01:44:10 UTC
Expires: 21 Jul 2005 01:44:10 UTC
Last updated: 21 Jul 2004 01:44:10 UTC