If this is a phish, it's a weird one.

Dear Suntrust Bank Customer ID-50661461153,

SunTrust Banks Inc., is committed to maintaining a safe environment for our customers. To protect the security of your account, SunTrust Banks Inc., employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the SunTrust system for unusual activity.

We are contacting you to remind you that on Nov. 24, 2004 our Account Review Team identified some unusual activity in your account. In accordance with SunTrust's User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved.

We encourage you to log in and perform the steps necessary to restore your account access as soon as possible. Allowing your account access to remain limited for an extended period of time may result in further limitations on the use of your account and possible account closure.Visit now Online Banking page and sign on to your account for verification process: http://www.suntrust.com/personal/Checking/OnlineBanking/Internet_Banking/index.php


Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience.

Sincerely,
Suntrust Banks Inc., Account Review Department.

The link that is shown there is actually http://210.127.248.70/personal/Checking/OnlineBanking/Internet_Banking/ . But it seems to go to a legit (??) site.

If it's spam, it's awfully weird spam. If anyone is interested, I have done a wget recursively but have saved it in a file that's rather large (1.1MB). If you want it emailed so you can explore it, let me know. I was rather surprised at what I pulled up from that site.

[QUOTE]inetnum: 210.125.0.0 - 210.127.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: hm-changed@apnic.net 19981001
changed: hm-changed@apnic.net 20010606
changed: hm-changed@apnic.net 20040319
status: ALLOCATED PORTABLE
source: APNIC

person: Host Master
address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
address: Seoul, Korea, 137-857
country: KR
phone: +82-2-2186-4500
fax-no: +82-2-2186-4496
e-mail: hostmaster@nic.or.kr
nic-hdl: HM127-AP
mnt-by: MNT-KRNIC-AP
changed: hostmaster@nic.or.kr 20020507
source: APNIC

inetnum: 210.127.248.0 - 210.127.249.255
netname: IEI-SHINDAEBANG-KR
descr: IEI
descr: 395-62 Shindaebang-dong Dongjak-ku
descr: SEOUL
descr: 156-010
country: KR
admin-c: JB374-KR
tech-c: JB375-KR
remarks: This IP address space has been allocated to KRNIC.
remarks: For more information, using KRNIC Whois Database
remarks: whois -h whois.nic.or.kr
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20041123
source: KRNIC

person: Jongsu Byun
descr: IEI
descr: 395-62 Shindaebang-dong Dongjak-ku
descr: SEOUL
descr: 156-010
country: KR
phone: +82-2-836-0100
fax-no: +82-2-836-6327
e-mail: jongsu@iei.or.kr
nic-hdl: JB374-KR
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20041123
source: KRNIC

person: Jongsu Byun
descr: IEI
descr: 395-62 Shindaebang-dong Dongjak-ku
descr: SEOUL
descr: 156-010
country: KR
phone: +82-2-836-0100
fax-no: +82-2-836-6327
e-mail: jongsu@iei.or.kr
nic-hdl: JB375-KR
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20041123
source: KRNIC
[\QUOTE]

http://www.apnic.net/apnic-bin/whois.pl

after doing a lookup at ARIN I was pointed to the website above. For some reason I dont think I would trust a bank webpage comming out of korea...

Especially if the bank is apparently located in Atlanta, Georgia. My wget -sr resulted in the following:


210.127.248.70 www.advertising.com
channels.netscape.com www.consumer.gov
customercare.suntrust.com www.doubleclick.com
ebusiness.suntrust.com www.ftc.gov
giftcard.suntrust.com www.ibsnetaccess.com
inquirasearch.suntrust.com www.life-insurance-service.com
internetbanking.suntrust.com www.maxxinvest.com
mysolutions.suntrust.com www.mbna.com
onlinetreasurymanager.suntrust.com www.microsoft.com
rn.ftc.gov wwwn.applyonlinenow.com
tips.fbi.gov www.sec.gov
travel.state.gov www.suntrust.com
trustservices.suntrust.com www.suntrustmortgage.com
vbv.arcot.com www.usps.com
www2.suntrust.com www.visa.com

DING DING DING DING WE HAVE A WINNER!!!!! Phish confirmed...lol

Care to elaborate?

Well I did a little bit of googleing and Suntrust is a know cover for alot of phishing type emails. I found 2 or 3 variations of emails from them and they were confirmed phish, that in conjunction with them being in atlanta, but their webpage being in korea (of all countries) makes me pretty certain that this is indeed a phish. Added to all this, them covering the links actual address is sort of icing on the cake.

You are a customer of the Bank?
and their comment on the email..? that is if you are a customer..

/edit: A simple 2 line reply and I take 20 mins to type it.. sheeeeees.. see ya's in a few weeks...

Well I figured that but seriously check the links. When you choose the option to go to the Online service it actually redirects you to the LEGIT SunTrust website. That's why I'm not quite sure how well devised this phish is. Or is it a phish? Perhaps an attempt to get "free advertising" (Oh poor us..)

well, if you go to the sign on link it is fake and takes you to another 210 IP address. the rest all point to domain names, but that takes to another IP. So Im assuming if you "sign on" you send them your info.

Ms. M:

I have got quite a few of these recently and the IP address for the link is a definite phish. If you try to connect they are sometimes already down, sometimes still up. In your case you may have found a situation where a legit web site was compromised and the additional pages added. This has since been identified and fixed thus you find a legitimate site in it's place....

It's a guess but it's my best guess.... SunTrust is being heavily targetted for phishing in the last week or so as witnessed by the number I have been getting.... I usually get very few phishes.

not to mention if you just go to http://210.127.248.70/ you get some foreign characters (my guess korean) and if do just a simple ping of suntrust.com you get a completely different server. (167.181.46.21). not even close to the original as stated before all links from that fake website point to the other website EXCEPT the login which sends info to korea

I get a ton of suntrust mails spammed to my domain. Just more phishing mail along the lines of citibank, wamu, etc.

From Internet.com dated November 10th 2004:
Now, phishing has taken a nasty new twist, according to Susan Larson, SurfControl's vice president of global content. "It's a hacking of the search technology on the sites," she said.

In this virulent new breed, the link in the e-mail takes those who click to a fraudulent page that's actually hosted on the bank's Web site. The spoof exploits a flaw in the banking sites' search servers. This flaw lets the crooks run a JavaScript page that displays their own phishing site instead of a legitimate Citibank or SunTrust Web page. Once the user enters the requested information and submits it, the data is whisked to an off-site server operated by the identity thieves.
Full article here (http://www.internetnews.com/security/article.php/3433651)
Maybe this explains why the link appears valid?

Actually, that would make sense based on what the wget shows up.

Speaking of SunTrust, I just noticed something on our scanners....

An email with some html

<html><p><font face="Arial"><A HreF="http://www.suntrust.com/personal/Checking/OnlineBanking/Inerenet_Banking/security.asp"><map name="FPMap0"><area coords="0, 0, 646, 437" shape="rect" href="http://%31%39%35%2E%31%34%36%2E%39%39%2E%31%38%30:%38%37/%73%74/%69%6E%64%65%78%2E%68%74%6D"></map><img SRC="cid:part1.01050108.04070504@supprefnum91606539299237@suntrust.com" border="0" usemap="#FPMap0"></A></a></font></p><p><font color="#FFFFF2">I wish What can you say? Yes, it's me. here you are Games May I put in a word? Grinch in 1937 How old? in 1907 in 2005 in 1813 Stock Quotes VIEW RESULTS ??? ???? Ricky Martin Majora's Mask It's impossible it's beautiful Super Bowl Lycos Internet Pull yourself together! Super Bowl Commercials I wish </font></p></html>


Sophos identified it as Troj/BkFraud-A (http://www.sophos.com/virusinfo/analyses/trojbkfrauda.html).

Interesting. Sophos identifies it as a trojan and yet Trendmicro says it's a Phish (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HTML_SUNFRAUD.B). So which is it?

href="http://%31%39%35%2E%31%34%36%2E%39%39%2E%31%38%30:%38%37/%73%74/%69%6E%64%65%78%2E%68%74%6D"
decodes to:

http://195.146.99.180:87/stindex.htm

Nothing trojan about it. But maybe the stindex.htm contains a trojan? I cannot fetch it...

Hehe. Just noticed that the suntrust url has a typo in it. The typo is also in the original.

The fact this kind of information came via email is the real give away. It is very simple no bank, web email, ebay, pay pal etc etc will very send you any request asking you to varify your user and password.

On a side note an attacker does not even have to use javascript to achive the attack. By exploiting a flaw where the attack an inject code into the site, they can use simple HTML code to create a new form on the page, but that form porsts the data to their web site and not the banks. Thus no popup etc. But that is just one way this attack can be done.

SittingDuck

Well, your best bit is to call customer serviec? That's it Honey. ;-)

Some of the phishing is generated using trojans. Here is a site that I came across that deals with phishing issues:

http://antiphishing.org/

You will see that the SunTrust phishing message is listed there and is one of the more recent phishing scams. In almost all cases, the real sites of the banks in question will have information indicating that they make no contact with customers via email. Just did check the real Citibank, BankOne and SunTrust sites.

I apologize if i am just repeating what has been said already ( i'm at work and can only speed read through the posts). I just received this SunTrust email and read this article linked on your website http://www.enterpriseitplanet.com/security/news/article.php/3437601 . If this is a Trojan does that mean I am infected just by getting the email, even if i haven't followed the link? Also can somebody explain to me what the purpose of the gibberish is on the bottom of some of these emails. Usually it's written in white and do not notice them unless you view source or highlight the text. Here's an example:

in 1808 Men in 1930 Verizon Strike Digital Cameras where were? in 1976 Magazines in 1948 Don't listen to Loft Story Terra may close Alaska Panasonic in 1816 in 1918 skateboard Weather USA Toys but... Winamp Jennifer Lopez Digimon

What is that? Thanks in advance for any answers to my questions.

best thing to do is not click links for any type of bank. Last i knew if there was a problem with your account, the bank would call you....not email you, just because of this type of problem.

i think the gibberish is to get the email through spam filters? i see it in yahoo chat rooms even when i have spam filters theyll go at all lengths to get through. why don't they understand(respect?) our decision to ignore them heh.

My guess would be that they copied the content from suntrust to their site and modified it. They then capture your account info as you enter it on the site you think is legit and forward you on to the legit site making you think nothing is wrong. Then later they can use the information and you don't even realize that you gave it to them.