Regions Bank Phish
Results 1 to 4 of 4

Thread: Regions Bank Phish

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    Regions Bank Phish

    I got the following email with the subject of WARNING: CONFIRM YOUR ONLINE BANKING ACCOUNT (obvious phish)

    Dear client of Regions Bank,

    Technical services of the Regions Bank are carrying out a planned software upgrade. We earnestly ask you to visit the following link to start the procedure of confirmation on customers data.

    To get started, please click the link below:

    https://online.regions.com/ibsregion...lt/confirm.cfm

    This instruction has been sent to all bank customers and is obligatory to fallow.

    Thank you,

    Customers Support Service.
    What I found interesting is that the true source -- hxxp://www.m4r0c4n.com/REGIONS/user.htm -- doesn't have a registry listing (??). The pertinent header info indicates NL (Netherlands) and FR (France) as the source:

    Received: from 62.193.214.56 (vds-348840.amen-pro.com [xx.yy.xx.yy])
    by mailhub.xxx.net (Postfix) with SMTP id 464C62B691D
    for <msmittens@msmittens.com>; Sun, 17 Apr 2005 09:33:14 -0400 (EDT)
    Received: from 212.80.144.5 by ; Sun, 17 Apr 2005 16:24:27 +0200
    So, any ideas why it doesn't appeared registered?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi MsMittens,

    Someone else here got the same thing...this is one of the links I posted there...

    http://www.millersmiles.co.uk/report/210
    YOUR REGIONS BANK ACCOUNT - Regions Bank 'Scams' - millersmiles.co.uk


    EDIT: http://www.antionline.com/showthread...hreadid=267560
    AntiOnline - Pissing my BSD boxers with laughter


    I know that one scam had set up a bank page identical to the real one and somehow got people to go to their site from the real site...I think I posted the links in SirDice's Chapter One Bank thread. Could it be the site you suspect is a copy?

    Eg

  3. #3
    Member
    Join Date
    Apr 2005
    Posts
    45
    Hi!

    - Firstly, I get a message on Firefox (1.0.3) - "The connection to online.regions.com has terminated unexpectedly. Some data may have been transferred". In IE, "cannot find server, The page cannot be displayed". It is down I think.

    Well, I have been receiving this Regions Bank scam almost daily with my regular yahoo account. Even if I already report it as spam, I still received it from time to time. Now, I used a different e-mail account (and provider) just to avoid such spam.


    62.193.214.56 - some company named Plesk:
    This is the Pleskô default page

    If you see this page it means:

    1) hosting for this domain is not configured
    or
    2) there's no such domain registered in Plesk.

    For more information please contact @adminemail@.
    212.80.144.5 - Network Error
    Network Error (tcp_error)

    A communication error occurred: "Operation timed out"
    The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.

    For assistance, contact your network support team.
    The pertinent header info indicates NL (Netherlands) and FR (France) as the source:
    Using RIPE.net:
    212.80.144.5 - SPAIN
    62.193.214.56 - FRANCE


    FYI, I think this link leads to the REAL Regions Bank - http://www.regions.com/personal_home.shtml -

    *And the REAL link that the SCAM SITE copied - https://secure.regionsnet.com/EBanki...faultAffiliate

    And one more observation, almost all the link in the scam site (aside from the login link) links back to the REAL site to show it's legit. OLD PHISHING...

    Lastly, digging further, you may also want to check other pages inside the source of the scam link - hXXp://www.m4r0c4n.com/REGIONS/measures.htm

    THIS IS THE SECRET - from the source - hXXp://www.m4r0c4n.com/REGIONS/user.htm
    Code:
    name="logonForm" method="POST" action="signon.php" onsubmit="if (this.disabled) return false;
    It is really nice and fun digging some!

    -GONE
    an\"to*nym (noun) [Greek: a word used in substitution for another]
    A word of opposite meaning ; a counter-term ; used as a correlative of synonym
    - Dr. Gung-ho

  4. #4
    Member
    Join Date
    Apr 2005
    Posts
    45

    Sounds Moroccan

    hXXp://www.m4r0c4n.com - yeah, I cannot find it both in INTERNIC and RIPE.

    m4r0c4n
    - Sounds Moroccan.

    -GONE

    __________________
    an"to*nym (noun) [Greek: a word used in substitution for another]
    A word of opposite meaning ; a counter-term ; used as a correlative of synonym
    - Dr. Gung-ho
    an\"to*nym (noun) [Greek: a word used in substitution for another]
    A word of opposite meaning ; a counter-term ; used as a correlative of synonym
    - Dr. Gung-ho

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •