Current Status

This blog is not frequently updated because most case-by-case scam reports are now listed in subordinate blogs. At this point in time, most of my efforts are targeted at documenting employment scams in the Suckers Wanted blog.

2005-03-16

Phish of the Day: Regions

Received from 62.176.229.131 (some host in a DSL pool in Germany) on Wed, 16 Mar 2005 04:06:35 +0000, one phishy little spam targeting "regions.com" banking customers. A very ordinary phish, really. Here's a quick excerpt of the text.

Account Confirmation Required!

Dear Valued RegionsNet® Client,

Recently there have been a large number of identity theft attempts targeting RegionsNet customers. In order to safeguard your account we require that you confirm your banking details. This process is mandatory.

You may do so by clicking Here and submitting the required information.

Failure to do so may result in a temporary cessation of your account services pending submission. Thank you for your prompt attention to this matter and your co-operation in helping us maintain the integrity of our customers accounts.

Please do not reply to this e-mail, as this is an unmonitored alias. If you require further assistance refer to our support centre .

RegionsNet respects your privacy. Click here to read the RegionsNet Group Privacy Policy Statement.

Electronic Banking services are issued by the RegionsNet of United States (Electronic Banking services include telephone banking, Netbank and Bpay). A Product Disclosure Statement (PDS) is available for these products on this website or from any branch of the RegionsNet.

I haven't bothered to include the links or text formatting, etc -- life's too short. The above should be enough to identify the message. In my case, the fraudulent link was to <http://218.8.251.189/regions/>, which was a download-and-save copy of <https://secure.regionsnet.com/EBanking/logon/user?a=defaultAffiliate> according to comments in the HTML. This contained a login form which included the text, "Regions does not contact customers via e-mail to verify or request security information." Anyway, if you ignored that and provided some sort of login information (I made something up), then you proceeded to <http://218.8.251.189/regions/verification.htm>, which included a form wanting the following details.

  • Card Number:
  • Expiration date:
  • PIN Code: * part of the bank verification process
  • CVV2 Code: * 3 digit security code printed on card
  • SSN Number: * social security number

I chose to submit this form without entering anything, and was redirected back to the real Regions home page. The site hosting the fake web pages appears to be a Red Hat box somewhere in China. Here's what nmap thinks of it.

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-03-16 05:45 GMT
Interesting ports on 218.8.251.189:
(The 1652 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
80/tcp   open     http
111/tcp  open     rpcbind
135/tcp  filtered msrpc
445/tcp  filtered microsoft-ds
1521/tcp open     oracle
6000/tcp open     X11
7001/tcp open     afs3-callback
8080/tcp open     http-proxy

Regions bank seems to be on the ball with regards to phishing. They have a web page about email fraud.

No comments: