Phish of the Day: SouthTrust
How convenient: two unrelated phish for SouthTrust so close together that I can report both at once. One of them came in to my "legacy" address -- the one that's been around for so long that it's on lots and lots of spam lists, and I don't bother directing any real correspondence there anymore as a result. That phish was the kind that uses an embedded GIF image instead of text. It was received from 200.103.168.188 (200-103-168-188.fozit7001.dsl.brasiltelecom.net.br.) on Sun, 22 May 2005 21:07:51 +0000, and the phishy URL was http://202.99.223.139/rpm/. That site is in China somewhere, and the version of the SouthTrust page that they've knocked off includes a whole bunch of extra phishing detail in the login form. They prompt for full name, card numbers, PINs, expiration dates, user IDs, passwords, and email address! They also use an annoying Javascript trick to re-open the window if you attempt to close it, and another to keep the window on top if you try to minimise it, or similar.
Our second SouthTrust phish was sent to the contact address for this blog. One of the reasons I created a contact address was to attract spam, which is why I haven't tried any silly tricks to hide it. The phish was received from 65.98.57.114 (address delegated to Pegasus Web Technologies, NJ, USA, according to WHOIS) on Sun, 22 May 2005 14:53:17 -0000. I'll copy the email text here, then continue with comments.
Dear SouthTrust� Client:
Recently, our Account Review Team identified some unusual activity in your
account. In accordance with SouthTrust's User Agreement and to ensure that your
account has not been compromised, access to your credit card account was limited. Your
account access will remain limited until this issue has been resolved. This
is a fraud prevention measure meant to ensure that your credit card account is not
compromised.
In order to secure your account and quickly restore full access, we may
require some specific information from you for the following reason:
We would like to ensure that your account was not accessed by an
unauthorized third party. Because protecting the security of your account
is our primary concern, we have limited access to sensitive SouthTrust account
features. We understand that this may be an inconvenience but please
understand that this temporary limitation is for your protection.
Case ID Number: SS-293-455-573
We encourage you to log in and restore full access as soon as possible.
Should access to your account remain limited for an extended period of
time, it may result in further limitations on the use of your account.However, failure to restore your records will result in credit card account suspension.
Please update your records on or before May 25, 2005.
Once you have updated your account records, your SouthTrust session will not be
interrupted and will continue as normal.Please update your SouthTrust record:
http://69.90.47.8/st/retail/verify.html
Thank you for your prompt attention to this matter. Please understand that
SouthTrust� Account Review Department
this is a security measure meant to help protect you and your account. We
apologize for any inconvenience.
Sincerely,
SouthTrust Email ID PP719
Accounts Management As outlined in our User Agreement, SouthTrust will
periodically send you information about site changes and enhancements.Visit our Privacy Policy and User Agreement if you have any questions.
http://www.southtrust.com/st/AboutUs/PrivacySecurity/Privacy/default.htm
The "please update your SouthTrust record" link is actually to http://updateinfo-secure.com.lhost9.atlantic.net/southtrust/wf34gPaymentLanding&ssPageName=hhpayUSf&=userhgads&secure&ssl7r2vbd7d888httpsloginyoutsecure/, which resolved to 209.208.54.96 (delegated to Internet Connect Company, Inc., FL, USA) when I queried it. This links to another knock-off SouthTrust login page, albeit one that's not nearly as ambitious as the phish I mentioned first, since it only asks for username and password details.
Also of some interest is the fact that the phish email reports that it is copied from http://www.sproot68.com/st/retail/letter.htm (resolving to 69.90.47.8, known canonically as ns6.servepower.com.), and I also find that the phish web page seems to appear at the parent address, http://www.sproot68.com/st/retail/. All this appears to be hosted by "WebServe Canada", so I'll shoot them an email to report their phishy little customer.
4 comments:
send us their hands on a silver platter.that may satisfy some people but I prefer to have the brain of the scammer in a pickled-pigsfeet jar to hold my refrigerator open late at night
China huh? I guess their 'superior' educational facilities have let some brilliant minds slip through the cracks of their structured systems,down into the muck which is festering in their society. thats what you get for buying your clothes off the rack at Red Land.
The Chinese lose face everytime they deceive another human. This type of scam causes the chinese operator to lose face. Not only does he lose face, but this type of chinese scammer is basically exposing his testicles to his grandmother with every attempt at scamming another human being. I hope this can be translated into chinese for them as it may stop them from bothering us and focus they financial embarassment on themselves.
It's unreasonable that you should pick on China in this particular instance, given that facilities in Canada, Brazil, and the USA were also used. And for all we know, the actual phisher is Romanian, or something.
Post a Comment