Anti-Phishing Working Group: eBay - "Security Notification"

LATEST NEWS IN THE FIGHT AGAINST PHISHING:

LLoyds TSB - 'Official information from Lloyds TSB'
28-Sep-2004

Summary

Email title:	'Official information from Lloyds TSB'
Scam target:	LLoyds TSB customers
Email format:	HTML e-mail
Sender:	Lloyds TSB Bank plc <online-support@lloydstsb.com>
Sender spoofed?	Yes
Scam call to action:	'As a part of our continuing operations to increase safety of your money and to reduce the amount of swindle on our website, we start a period of reviewing our members accounts...You are requested to visit our secure page clicking the link given below...'
Scam goal:	Getting victim's lloydstsb.com username.password, name, birth date
Call to action format:	URL link
Visible link:	https://online.lloydstsb.co.uk/applypassword.ibc
Called link :	http://200.204.198.158:16780/Io/applypassword.php
Phish website IP:	200.204.198.158

E-mail

This phish message was reported in two variations - very close to one another, and leading to the same site:

Such variations are made for the sole purpose of circumventing the spam filters.

The message itself could be convincing - the link and sender are both spoofed and can not be exposed straight away.

Web Site

Visible link:	https://online.lloydstsb.co.uk/applypassword.ibc
Called link :	http://200.204.198.158:16780/Io/applypassword.php
Phish website IP:	200.204.198.158

The phish website uses a well known, effective trick : It opens the legitimate site in the background, and then opens the phish site in a pop-up window in the foreground:

This is dangerous, of course, because it is natural that a connection between the two windows will be created. This way they will be percieved as two parts of a single site. In fact, they have nothing in common - except the phish site's copying of the color/font scheme of the legitimate one.

Also, this approach allows the phishers to easily hide the address bar in a phish screen - which is generally the most vulnerable spot of the scam.

However, under a closer inspection, the truth comes out:

It is obvious here that the URL of the pop-up is not something linked to the legitimate site.

After the phish collects the information it requires, it opens the legitimate site, again, this time - in the pop-up:

This scam is quite dangerous, but can be exposed if extensive attention is paid on details. It is hosted on a server within the LACNIC(Latin American and Caribean Information Centre) IP range - the second scam we review that is coming from there:

WHOIS data:

OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Potosi 1517
City: Montevideo
StateProv:
PostalCode: 11500
Country: UY

ReferralServer: whois://whois.lacnic.net

NetRange: 200.0.0.0 - 200.255.255.255
CIDR: 200.0.0.0/8
NetName: LACNIC-200
NetHandle: NET-200-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: SEC3.APNIC.NET
NameServer: NS2.DNS.BR
Comment: This IP address range is under LACNIC responsibility for further
Comment: allocations to users in LACNIC region.
Comment: Please see http://www.lacnic.net/ for further details, or check the
Comment: WHOIS server located at whois.lacnic.net
RegDate: 2002-07-27
Updated: 2004-03-18