-
November 24th, 2004, 09:56 PM
#1
Phish?
If this is a phish, it's a weird one.
Dear Suntrust Bank Customer ID-50661461153,
SunTrust Banks Inc., is committed to maintaining a safe environment for our customers. To protect the security of your account, SunTrust Banks Inc., employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the SunTrust system for unusual activity.
We are contacting you to remind you that on Nov. 24, 2004 our Account Review Team identified some unusual activity in your account. In accordance with SunTrust's User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved.
We encourage you to log in and perform the steps necessary to restore your account access as soon as possible. Allowing your account access to remain limited for an extended period of time may result in further limitations on the use of your account and possible account closure.Visit now Online Banking page and sign on to your account for verification process: http://www.suntrust.com/personal/Che...king/index.php
Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience.
Sincerely,
Suntrust Banks Inc., Account Review Department.
The link that is shown there is actually http://210.127.248.70/personal/Check...ernet_Banking/ . But it seems to go to a legit (??) site.
If it's spam, it's awfully weird spam. If anyone is interested, I have done a wget recursively but have saved it in a file that's rather large (1.1MB). If you want it emailed so you can explore it, let me know. I was rather surprised at what I pulled up from that site.
-
November 24th, 2004, 10:24 PM
#2
[QUOTE]inetnum: 210.125.0.0 - 210.127.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: hm-changed@apnic.net 19981001
changed: hm-changed@apnic.net 20010606
changed: hm-changed@apnic.net 20040319
status: ALLOCATED PORTABLE
source: APNIC
person: Host Master
address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
address: Seoul, Korea, 137-857
country: KR
phone: +82-2-2186-4500
fax-no: +82-2-2186-4496
e-mail: hostmaster@nic.or.kr
nic-hdl: HM127-AP
mnt-by: MNT-KRNIC-AP
changed: hostmaster@nic.or.kr 20020507
source: APNIC
inetnum: 210.127.248.0 - 210.127.249.255
netname: IEI-SHINDAEBANG-KR
descr: IEI
descr: 395-62 Shindaebang-dong Dongjak-ku
descr: SEOUL
descr: 156-010
country: KR
admin-c: JB374-KR
tech-c: JB375-KR
remarks: This IP address space has been allocated to KRNIC.
remarks: For more information, using KRNIC Whois Database
remarks: whois -h whois.nic.or.kr
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20041123
source: KRNIC
person: Jongsu Byun
descr: IEI
descr: 395-62 Shindaebang-dong Dongjak-ku
descr: SEOUL
descr: 156-010
country: KR
phone: +82-2-836-0100
fax-no: +82-2-836-6327
e-mail: jongsu@iei.or.kr
nic-hdl: JB374-KR
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20041123
source: KRNIC
person: Jongsu Byun
descr: IEI
descr: 395-62 Shindaebang-dong Dongjak-ku
descr: SEOUL
descr: 156-010
country: KR
phone: +82-2-836-0100
fax-no: +82-2-836-6327
e-mail: jongsu@iei.or.kr
nic-hdl: JB375-KR
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20041123
source: KRNIC
[\QUOTE]
http://www.apnic.net/apnic-bin/whois.pl
after doing a lookup at ARIN I was pointed to the website above. For some reason I dont think I would trust a bank webpage comming out of korea...
-
November 24th, 2004, 10:27 PM
#3
Especially if the bank is apparently located in Atlanta, Georgia. My wget -sr resulted in the following:
PHP Code:
210.127.248.70 [url]www.advertising.com[/url]
channels.netscape.com [url]www.consumer.gov[/url]
customercare.suntrust.com [url]www.doubleclick.com[/url]
ebusiness.suntrust.com [url]www.ftc.gov[/url]
giftcard.suntrust.com [url]www.ibsnetaccess.com[/url]
inquirasearch.suntrust.com [url]www.life-insurance-service.com[/url]
internetbanking.suntrust.com [url]www.maxxinvest.com[/url]
mysolutions.suntrust.com [url]www.mbna.com[/url]
onlinetreasurymanager.suntrust.com [url]www.microsoft.com[/url]
rn.ftc.gov wwwn.applyonlinenow.com
tips.fbi.gov [url]www.sec.gov[/url]
travel.state.gov [url]www.suntrust.com[/url]
trustservices.suntrust.com [url]www.suntrustmortgage.com[/url]
vbv.arcot.com [url]www.usps.com[/url]
www2.suntrust.com [url]www.visa.com[/url]
-
November 24th, 2004, 10:30 PM
#4
DING DING DING DING WE HAVE A WINNER!!!!! Phish confirmed...lol
-
November 24th, 2004, 10:32 PM
#5
-
November 24th, 2004, 10:40 PM
#6
Well I did a little bit of googleing and Suntrust is a know cover for alot of phishing type emails. I found 2 or 3 variations of emails from them and they were confirmed phish, that in conjunction with them being in atlanta, but their webpage being in korea (of all countries) makes me pretty certain that this is indeed a phish. Added to all this, them covering the links actual address is sort of icing on the cake.
-
November 24th, 2004, 10:44 PM
#7
You are a customer of the Bank?
and their comment on the email..? that is if you are a customer..
/edit: A simple 2 line reply and I take 20 mins to type it.. sheeeeees.. see ya's in a few weeks...
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
November 24th, 2004, 10:45 PM
#8
Well I figured that but seriously check the links. When you choose the option to go to the Online service it actually redirects you to the LEGIT SunTrust website. That's why I'm not quite sure how well devised this phish is. Or is it a phish? Perhaps an attempt to get "free advertising" (Oh poor us..)
-
November 24th, 2004, 10:49 PM
#9
well, if you go to the sign on link it is fake and takes you to another 210 IP address. the rest all point to domain names, but that takes to another IP. So Im assuming if you "sign on" you send them your info.
-
November 24th, 2004, 10:49 PM
#10
Ms. M:
I have got quite a few of these recently and the IP address for the link is a definite phish. If you try to connect they are sometimes already down, sometimes still up. In your case you may have found a situation where a legit web site was compromised and the additional pages added. This has since been identified and fixed thus you find a legitimate site in it's place....
It's a guess but it's my best guess.... SunTrust is being heavily targetted for phishing in the last week or so as witnessed by the number I have been getting.... I usually get very few phishes.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|