Phish?

[Spyrus]

not to mention if you just go to http://210.127.248.70/ you get some foreign characters (my guess korean) and if do just a simple ping of suntrust.com you get a completely different server. (167.181.46.21). not even close to the original as stated before all links from that fake website point to the other website EXCEPT the login which sends info to korea

[Juridian]

I get a ton of suntrust mails spammed to my domain. Just more phishing mail along the lines of citibank, wamu, etc.

[ShagDevil]

From Internet.com dated November 10th 2004:

Now, phishing has taken a nasty new twist, according to Susan Larson, SurfControl's vice president of global content. "It's a hacking of the search technology on the sites," she said.

In this virulent new breed, the link in the e-mail takes those who click to a fraudulent page that's actually hosted on the bank's Web site. The spoof exploits a flaw in the banking sites' search servers. This flaw lets the crooks run a JavaScript page that displays their own phishing site instead of a legitimate Citibank or SunTrust Web page. Once the user enters the requested information and submits it, the data is whisked to an off-site server operated by the identity thieves.

Full article here
Maybe this explains why the link appears valid?

[MrLinus]

Actually, that would make sense based on what the wget shows up.

[SirDice]

Speaking of SunTrust, I just noticed something on our scanners....

An email with some html

Code:

<html><p><font face="Arial"><A HreF="http://www.suntrust.com/personal/Checking/OnlineBanking/Inerenet_Banking/security.asp"><map name="FPMap0"><area coords="0, 0, 646, 437" shape="rect" href="http://%31%39%35%2E%31%34%36%2E%39%39%2E%31%38%30:%38%37/%73%74/%69%6E%64%65%78%2E%68%74%6D"></map><img SRC="cid:part1.01050108.04070504@[email protected]" border="0" usemap="#FPMap0"></A></a></font></p><p><font color="#FFFFF2">I wish What can you say? Yes, it's me. here you are Games May I put in a word? Grinch in 1937 How old? in 1907 in 2005 in 1813 Stock Quotes VIEW RESULTS ??? ???? Ricky Martin Majora's Mask It's impossible it's beautiful Super Bowl Lycos Internet Pull yourself together! Super Bowl Commercials I wish </font></p></html>

Sophos identified it as Troj/BkFraud-A.

[MrLinus]

Interesting. Sophos identifies it as a trojan and yet Trendmicro says it's a Phish. So which is it?

[SirDice]

Code:

href="http://%31%39%35%2E%31%34%36%2E%39%39%2E%31%38%30:%38%37/%73%74/%69%6E%64%65%78%2E%68%74%6D"

decodes to:

http://195.146.99.180:87/stindex.htm

Nothing trojan about it. But maybe the stindex.htm contains a trojan? I cannot fetch it...

Hehe. Just noticed that the suntrust url has a typo in it. The typo is also in the original.

[SittingDuck]

The fact this kind of information came via email is the real give away. It is very simple no bank, web email, ebay, pay pal etc etc will very send you any request asking you to varify your user and password.

On a side note an attacker does not even have to use javascript to achive the attack. By exploiting a flaw where the attack an inject code into the site, they can use simple HTML code to create a new form on the page, but that form porsts the data to their web site and not the banks. Thus no popup etc. But that is just one way this attack can be done.

SittingDuck

[sepultura]

Well, your best bit is to call customer serviec? That's it Honey. ;-)

[rapier57]

Some of the phishing is generated using trojans. Here is a site that I came across that deals with phishing issues:

http://antiphishing.org/

You will see that the SunTrust phishing message is listed there and is one of the more recent phishing scams. In almost all cases, the real sites of the banks in question will have information indicating that they make no contact with customers via email. Just did check the real Citibank, BankOne and SunTrust sites.