Phish of the Day: LaSalle
A little phish just swam in, attempting to trick members of LaSalle Bank into divulging their online banking passwords. At a glance, it appears to be a fairly ordinary phishing attempt, not combined with any obvious attempts to compromise security via browser exploits. Here's how it looks.
[LaSalle Logo]
Dear LaSalle Bank customer,
We recently noticed one or more attempts to log in your LaSalle Bank online banking account from a foreign IP address and we have reasons to believe that your account was hijacked by a third party without your authorization.
If you recently accessed your account while traveling, the unusual log in attempts may have initiated by you.
However if you are the rightful holder of the account, click on the link below and submit, as we try to verify your account. (In case your are not enrolled use your Social Security Number as User ID and first 6 digits of Social Security Number as password):
https://secure.lasalle.com/CVS/The log in attempt was made from:
IP address: 159.255.11.185
ISP host: 159.255.11.1.prov.T1fast.net
If you choose to ignore our request, you leave us no choice but to temporally suspend your account.We ask that you allow at least 48hrs for the case to be investigated and we strongly recommend not making any changes to your account in that time.
If you received this notice and you are not the authorized account holder, please be aware that is in violation of LaSalle Bank policy to represent oneself as another LaSalle Bank account owner.Such action may also be in violation of local, national, and/or international law. LaSalle Bank is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the Internet to commit fraud or theft.
Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the fullest extent of the law.* Please do not respond to this email as your reply will not be received.
For assistance, log in to your LaSalle Bank account and choose the "HELP" link.Thanks for your patience as we work together to protect your account.
Regards,
2005 LaSalle Investment Management, Inc. A member of the Jones Lang LaSalle group. All rights reserved.
The details provided about the "attempted login" are a fabrication, and should be ignored. The phish itself was sent from 66.179.134.23 (delegated to "Ultimate Information Systems" in Phoenix, Arizona) on Sun, 15 May 2005 23:48:20 +0000. Much of the information in the headers of the message identifies the sending host as running Knoppix, which is a live-CD Linux distribution. This is probably not falsified -- it's a good way for a spammer with physical access to a computer to temporarily gain complete control of that computer without leaving any traces on it.
The actual link was not to LaSalle (of course), but to http://chenster.info/albums/sif/default_location/ plus some additional extra rubbish which may have been included for tracking purposes. That address is sufficient to bring up the page, however. It appears that "chenster.info" has been compromised, and the phisher has loaded his additional web pages onto their server. It does not appear that this particular phisher has registered any domains as a part of his phishing attempt. The address of "chenster.info" is currently 210.17.20.129, which is in Taiwan. I'll send a note to the WHOIS contact for that domain about the situation.
No comments:
Post a Comment