USBank Scam

[phishphreek]

Just saw this on the Full Disclosure list...

This is the best phishing scam I've seen yet: http://www.bis1bp.com/a12/index.html

I have Windows Server 2003 fully patched and this works. The program fakes an address bar so this would pass through most people's safety check, after all the address bar clearly has the correct address.

There are bugs in the code, for example, all your Internet Explorer windows will now have this address, but again for most people would only have one window open.

Pretty smart and very dirty scammers...

If you disable active scripting they can't fake the address bar... or if you have a google toolbar (or similar), the script messes up and places the URL in the wrong place. Or, if you use a different resolution other than 800x600 or 1024x768 the script will mess up again and append the faked address to the real address.... also, I've noticed that it caries over to things such as outlook when the browser window is left open.

BTW: The box I tested this on is fully patched too.

[moxnix]

On Firefox, it starts to load and then a box pops up that says I need IE5.5/Win or above to run the 'Demonstration'.

[Tiger Shark]

Interestingly enough if you copy and paste the "apparent" url in the address bar into Notepad it shows the http://www.bis1bp.com/a12/index.html url not the usbank one...... and if you pull down the address bar to show the history it shows the same address.

It looks like a lot of people are going there because when I first tried it it was quite convincing, right now it's so slow that the bad address stays there for a while though I'm sure some people would take it to be some "fancy" redirection being done by the real site.

Pulling down the address bar history or the cut and paste to Notepad is a test if you are suspicious though.

[Juridian]

Not exactly a new technique, but not used very often. It's interesting to look at some of the variants using DHTML and so on. Most of them only hit a very narrow spectrum of browsers and are probably one of the few reasons I am glad that javascript is evil and hard to do right on all browsers.

People who fall for it should have been checking for the proper use of ssl. Also the new url is displayed over all other windows you have up...I'm looking at the url over visual studio at the moment.

[phishphreek]

Also, if you view source before the script is completely loaded... it will give the real source code.

If you try to view the source after the script is loaded... it gives you different source code that looks like it displays the fake address...

Juridan: I noticed that too. But only on some appliations... not all. Outlook is one... but some third party software did not... maybe just another bug in the script.

Aparently it won't load on every window you have open if you open it multiple times.

Or, maybe thats because the site is so slow now.

The first thing I noticed was that the little lock wasn't in the bottom right hand corner of the screen which indicated ssl. But I've heard that it can be faked? They tried by putting the lock in the bottom left in the screen itself and by making the fake address diplay a https://

[foxyloxley]

Off topic [ what's with the 'new' titles on the senior members names ? ] end.

Personally, I find that I am too slow on the uptake to be taken in by a 'phishing' scam, however, I have followed this, and it is 'good'.
Just another problem to be (Ad) aware of

[phishphreek]

Originally posted here by moxnix
On Firefox, it starts to load and then a box pops up that says I need IE5.5/Win or above to run the 'Demonstration'.

In IE, if you disable active scripting, it will say it needs scripting to run demonstration.

[AngelicKnight]

what's with the 'new' titles on the senior members names ?

If we told you, we'd have to reformat your brain.

[cgkanchi]

Also, if you view source before the script is completely loaded... it will give the real source code.

If you try to view the source after the script is loaded... it gives you different source code that looks like it displays the fake address...

How would that be achieved?

Cheers,
cgkanchi

[AngelicKnight]

Just a guess, but I'd presume there's a segment of code that hides the source code, so if you pull up the source code before it has a chance to load up, then that's how you get around it. You have to pull it up before it has a chance to kick in.

That'd be my guess...