Phishing: Charter One Bank
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Phishing: Charter One Bank

  1. #1
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Phishing: Charter One Bank

    Hmm. I received an email from Charter One Bank asking me to confirm my customer details. Funny thing is... I don't use that bank... Attached is a picture of the email.

    Source shows it had been send through some cable ISP in Canada.
    The "link" inside is uses a <map> to actually send you to http://custconf.com:880

    Code:
    <html><p><font face="Arial">
    <A HREF="https://www.charteronebank.com/general/custdetailsconfirmation.asp">
    <map name="HM0EG3wPJ">
    <area coords="0, 0, 651, 332" shape="rect" href="http://custconf.com:880"></map>
    <img SRC="cid: part1.00020603.06000909@support_ref_...teronebank.com" border="0" usemap="#HM0EG3wPJ">
    </A></a>
    </font></p><p><font color="#FFFFF8">I'd like Cheer up! Dale Earnhardt O-Town it's for you. </font></p></html>
    custconf.com resolves to an IP address in Korea....

    I smell a Phish!
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #2
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi SirDice,

    Well, I knew there was no bank in Canada with that name...I never get that stuff...probably because I'm on a little known ISP that no one cares about..then again, I might have gotten a few...my ISP has a junk bin for my e-mails which they stop before they even get to my box...the only way to see them is to go to that junk box and I never have...I get notices but I never go. If it looks like Scam, smells like Scam, and tastes like Scam, it's a Scam.

    Eg

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Actually I believe Charter One is a real bank (http://www.charteronebank.com <- real link, no phishing ). But the link inside the email doesn't really point to their website.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi SirDice,

    http://www.millersmiles.co.uk/report/194
    Charter One Bank - Confirm Your Details To Avoid Service Cancellation - Charter One Bank 'Scams' - millersmiles.co.uk

    Here's the link you want. And here's another...

    http://www.trendmicro.com/en/securit...ish050309a.htm
    Company: Charter One Bank

    Eg

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Yep. Looks exactly the same. But mine points to a different URL (different from the one noted by Trent and the one on millermiles). Looks like the scammers have moved again....

    As of right now, the url in mine is still up and running.

    Oh. WARNING. Do not point your browser to that phisher's site. It will run JS/Stealus.

    Funny though.. That phisher's site.. First time I netcatted it I recieved the usual 200 OK, then a perl error message, then headers that appear to come from apache. If I do it right now the server suddenly changed into SHS (whatever that is) and the rest of the headers look different too. Sadly I didn't record the first response.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Did some more digging. I'm using my own thead to keep notes Maybe we can track the sucker..

    The phisher's url on Trend is dead. Cleaned up. Doesn't exist any more.
    The phisher's ip on millermiles is owned by a Hong Kong based telco/isp (http://www.hgc.com.hk ).

    Onto mine
    Domain Name: CUSTCONF.COM
    Registrar: YESNIC CO. LTD.
    Whois Server: whois.yesnic.com
    Referral URL: http://www.yesnic.com
    Name Server: NSA1.SPX2K.NET
    Status: ACTIVE
    Updated Date: 30-mar-2005
    Creation Date: 18-mar-2005
    Expiration Date: 18-mar-2006
    All contacts are the same:
    Name : LeiMomi01 Design
    Email : leimomi01@tom.com
    Address : P.O. Box 351019, Brooklyn, NY
    Zipcode : 11235
    Nation : US
    Tel : +1.718-213-4074
    Fax : +1.302-338-7956
    Interesting, about a month old, recently updated (see above):
    :: Dates & Status::
    Created Date 2005-03-18 03:39:32 EST
    Updated Date 2005-03-18 03:39:32 EST
    Valid Date 2006-03-18 03:39:32 EST
    Status ACTIVE
    The registrar (YesNIC) looks legit (cheap too) so the contact's email address probably works. Let's see what/who is tom.com?

    The only thing I could read on http://www.tom.com was this:
    TOM Online Inc. {..} is a leading mobile Internet company in China, operating one of the most successful Internet portals in China (www.tom.com) and offering a wide variety of online and mobile services,{...}
    OK. tom.com looks and feels legit (whois info too). But it might be some unsuspecting soul. Searching google for the name gets me 2 hits http://www.joewein.de/sw/fraud-intmedcorp.htm Interesting.. same whois info..
    intmedcorp.com is a fraud
    The following job offer was sent out as spam by an organized crime group. The domain intmedcorp.com and the related domain intmc.org were only created two weeks before the spam was sent. The purpose of this job offer is to trick people into helping move stolen money out of the country for the gang.
    Hey, this sounds like a 419. Phishing and a 419.. These guys are doing all sorts of **** to trick our unsuspecting users..

    So much for all the info from whois..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi SirDice,

    I did click your links before my first post but I think one went nowhere and the banking site had an alert pop-up that said " d..." something or other...

    seems like these guys are trying harder than the average scammer...eh?

    Eg

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Next..

    Onto the DNS domain So much to check... So much info..

    The custconf.com domain is controlled by nsa1.spx2k.net.
    spx2k.net looks dodgy.. relatively new too.
    Domain Name: SPX2K.NET
    Registrar: YESNIC CO. LTD.
    Whois Server: whois.yesnic.com
    Referral URL: http://www.yesnic.com
    Name Server: NS1.SPX2K.COM
    Name Server: NSFR3.US2K.NET
    Name Server: NS1.TEENSJCASH.COM

    Status: ACTIVE
    Updated Date: 17-mar-2005
    Creation Date: 17-jan-2005
    Expiration Date: 17-jan-2006
    contact email Google is my friend first hit gave more clues. Same info.. More phishing.. different domains (again).. same nameservers.. hmmm..

    Domain Name: SPX2K.COM
    Registrar: TUCOWS INC.
    Whois Server: whois.opensrs.net
    Referral URL: http://domainhelp.tucows.com
    Name Server: NS1.US2K.NET
    Status: REGISTRAR-HOLD
    Updated Date: 08-feb-2005
    Creation Date: 03-feb-2005
    Expiration Date: 03-feb-2006
    Domain Name: TEENSJCASH.COM
    Registrar: TUCOWS INC.
    Whois Server: whois.opensrs.net
    Referral URL: http://domainhelp.tucows.com
    Name Server: NS1.TEENSJCASH.COM
    Name Server: NS2.TEENSJCASH.COM
    Status: ACTIVE
    Updated Date: 09-mar-2005
    Creation Date: 24-feb-2005
    Expiration Date: 24-feb-2006
    Both domains are owned by:
    HANNON, LEANDRAE leandraehannon@yahoo.com
    3412 Monterey
    St. Joseph, AL 23412
    US
    +1.8162792672
    This one keeps popping up:
    Domain Name: US2K.NET
    Registrar: YESNIC CO. LTD.
    Whois Server: whois.yesnic.com
    Referral URL: http://www.yesnic.com
    Name Server: No nameserver
    Status: REGISTRAR-LOCK
    Updated Date: 16-mar-2005
    Creation Date: 19-jan-2005
    Expiration Date: 19-jan-2006
    Contact info is familiar
    Name : LeiMomi01 Design
    Email : leimomi01@tom.com
    Address : P.O. Box 351019, Brooklyn, NY
    Zipcode : 11235
    Nation : US
    Tel : +1.718-213-4074
    Fax : +1.302-338-7956
    So we end up with a couple of dodgy DNS servers. They all seem to host various domains that are connected in some way or another with phishing..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Egaladeist
    seems like these guys are trying harder than the average scammer...eh?
    Indeed. It doesn't look like your everyday garden variety scriptkiddie.

    It does look like someone's new-years resolution.. I haven't found any domain that was registered before jan. 17th of this year.. Some resolution.. "I'm going to make money phishing in 2005"..
    What the hell was s/he drinking/smoking??
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Junior Member
    Join Date
    May 2005
    Posts
    1
    Good morning all,

    Noob here, I was lead to this post on this forum by following an investigation of my own into a lovely bit of spoofing/ phishing. I'm not a tech expert but I have enough know how to get me this far. Anyone want to pick up where I ran out of expertise?

    I also received the Charter One bank phishing mail - and today I received an identical mail but from SouthTrust bank. Both are real banks, neither sent these emails.

    The SouthTrust email dead ends with a "You do not have permission to view" page. The reported URL is http://systdll.com/.../st

    I ran a Whois check on www.systdll.com and got:

    05/23/05 11:51:06 whois systdll.com
    .com is a domain of USA & International Commercial
    Searches for .com can be run at http://www.crsnic.net/

    Domain Name : systdll.com

    ::Registrant::
    Name : James Harris
    Email : leimomi01@tom.com
    Address : 27 Nottingham Road, Eastwood, Nottingham
    Zipcode : NG16 3AD
    Nation : UK
    Tel : +1.718-213-4074
    Fax : +1.302-338-7956

    ::Administrative Contact::
    Name : James Harris
    Email : leimomi01@tom.com
    Address : 27 Nottingham Road, Eastwood, Nottingham
    Zipcode : NG16 3AD
    Nation : UK
    Tel : +1.718-213-4074
    Fax : +1.302-338-7956

    ::Technical Contact::
    Name : James Harris
    Email : leimomi01@tom.com
    Address : 27 Nottingham Road, Eastwood, Nottingham
    Zipcode : NG16 3AD
    Nation : UK
    Tel : +1.718-213-4074
    Fax : +1.302-338-7956

    ::Name Servers::
    name2.systdll.com
    name.systdll.com

    :ates & Status::
    Created Date 2005-05-15 09:22:29 EDT
    Updated Date 2005-05-15 09:22:29 EDT
    Valid Date 2006-05-15 09:22:29 EDT
    Status ACTIVE

    Which is interesting as that's what I got when I did the same thing with the Charter One email - although that now dead ends with some other information.

    I post code checked the address as shown and apparently it's a branch of National Westminster Bank in Nottingham, UK.

    I rang the branch and asked if they have a James Harris on their staff, or if there are any other businesses registered at that address, the answer to both questions is no but they have taken all the relevant details for their own investigation. Which is nice of them.

    The other interesting thing is the email address - leimomi01@tom.com, type it into Google and there's a whole string of posts similar to this one that comes up. There are also some references to the same email address being used in a fake job offer scam earlier in the year. I have of course emailed it but I imagine it's just an unused inbox full of insults from other spamee's.

    So whoever Mr Harris really is, he's a busy boy, obviously.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •