Phishing: Charter One Bank

***SirDice*** · April 5th, 2005, 05:03 PM

Hmm. I received an email from Charter One Bank asking me to confirm my customer details. Funny thing is... I don't use that bank... Attached is a picture of the email.

Source shows it had been send through some cable ISP in Canada.
The "link" inside is uses a <map> to actually send you to http://custconf.com:880

Code:

&lt;html&gt;&lt;p&gt;&lt;font face="Arial"&gt;
&lt;A HREF="https://www.charteronebank.com/general/custdetailsconfirmation.asp"&gt;
&lt;map name="HM0EG3wPJ"&gt;
&lt;area coords="0, 0, 651, 332" shape="rect" href="http://custconf.com:880"&gt;&lt;/map&gt;
&lt;img SRC="cid: part1.00020603.06000909@support_ref_...teronebank.com" border="0" usemap="#HM0EG3wPJ"&gt;
&lt;/A&gt;&lt;/a&gt;
&lt;/font&gt;&lt;/p&gt;&lt;p&gt;&lt;font color="#FFFFF8"&gt;I'd like Cheer up! Dale Earnhardt O-Town it's for you. &lt;/font&gt;&lt;/p&gt;&lt;/html&gt;

custconf.com resolves to an IP address in Korea....

I smell a Phish!

***Egaladeist*** · April 5th, 2005, 05:19 PM

Hi SirDice,

Well, I knew there was no bank in Canada with that name...I never get that stuff...probably because I'm on a little known ISP that no one cares about..then again, I might have gotten a few...my ISP has a junk bin for my e-mails which they stop before they even get to my box...the only way to see them is to go to that junk box and I never have...I get notices but I never go. If it looks like Scam, smells like Scam, and tastes like Scam, it's a Scam.

Eg

***SirDice*** · April 5th, 2005, 05:22 PM

Actually I believe Charter One is a real bank (http://www.charteronebank.com <- real link, no phishing

). But the link inside the email doesn't really point to their website.

***Egaladeist*** · April 5th, 2005, 05:30 PM

Hi SirDice,

http://www.millersmiles.co.uk/report/194
Charter One Bank - Confirm Your Details To Avoid Service Cancellation - Charter One Bank 'Scams' - millersmiles.co.uk

Here's the link you want. And here's another...

http://www.trendmicro.com/en/securit...ish050309a.htm
Company: Charter One Bank

Eg

***SirDice*** · April 5th, 2005, 06:34 PM

Yep. Looks exactly the same. But mine points to a different URL (different from the one noted by Trent and the one on millermiles). Looks like the scammers have moved again....

As of right now, the url in mine is still up and running.

Oh. WARNING. Do not point your browser to that phisher's site. It will run JS/Stealus.

Funny though.. That phisher's site.. First time I netcatted it I recieved the usual 200 OK, then a perl error message, then headers that appear to come from apache. If I do it right now the server suddenly changed into SHS (whatever that is) and the rest of the headers look different too. Sadly I didn't record the first response.

***SirDice*** · April 5th, 2005, 07:41 PM

Did some more digging. I'm using my own thead to keep notes

Maybe we can track the sucker..

The phisher's url on Trend is dead. Cleaned up. Doesn't exist any more.
The phisher's ip on millermiles is owned by a Hong Kong based telco/isp (http://www.hgc.com.hk ).

Onto mine

Domain Name: CUSTCONF.COM
Registrar: YESNIC CO. LTD.
Whois Server: whois.yesnic.com
Referral URL: http://www.yesnic.com
Name Server: NSA1.SPX2K.NET
Status: ACTIVE
Updated Date: 30-mar-2005
Creation Date: 18-mar-2005
Expiration Date: 18-mar-2006

All contacts are the same:

Name : LeiMomi01 Design
Email : [email protected]
Address : P.O. Box 351019, Brooklyn, NY
Zipcode : 11235
Nation : US
Tel : +1.718-213-4074
Fax : +1.302-338-7956

Interesting, about a month old, recently updated (see above):

:: Dates & Status::
Created Date 2005-03-18 03:39:32 EST
Updated Date 2005-03-18 03:39:32 EST
Valid Date 2006-03-18 03:39:32 EST
Status ACTIVE

The registrar (YesNIC) looks legit (cheap too) so the contact's email address probably works. Let's see what/who is tom.com?

The only thing I could read on http://www.tom.com was this:

TOM Online Inc. {..} is a leading mobile Internet company in China, operating one of the most successful Internet portals in China (www.tom.com) and offering a wide variety of online and mobile services,{...}

OK. tom.com looks and feels legit (whois info too). But it might be some unsuspecting soul. Searching google for the name gets me 2 hits

http://www.joewein.de/sw/fraud-intmedcorp.htm Interesting.. same whois info..

intmedcorp.com is a fraud
The following job offer was sent out as spam by an organized crime group. The domain intmedcorp.com and the related domain intmc.org were only created two weeks before the spam was sent. The purpose of this job offer is to trick people into helping move stolen money out of the country for the gang.

Hey, this sounds like a 419. Phishing and a 419.. These guys are doing all sorts of **** to trick our unsuspecting users..

So much for all the info from whois..

***Egaladeist*** · April 5th, 2005, 08:09 PM

Hi SirDice,

I did click your links before my first post but I think one went nowhere and the banking site had an alert pop-up that said " d..." something or other...

seems like these guys are trying harder than the average scammer...eh?

Eg

***SirDice*** · April 5th, 2005, 09:00 PM

Onto the DNS domain

So much to check... So much info..

The custconf.com domain is controlled by nsa1.spx2k.net.
spx2k.net looks dodgy.. relatively new too.

Domain Name: SPX2K.NET
Registrar: YESNIC CO. LTD.
Whois Server: whois.yesnic.com
Referral URL: http://www.yesnic.com
Name Server: NS1.SPX2K.COM
Name Server: NSFR3.US2K.NET
Name Server: NS1.TEENSJCASH.COM
Status: ACTIVE
Updated Date: 17-mar-2005
Creation Date: 17-jan-2005
Expiration Date: 17-jan-2006

contact email Google is my friend first hit gave more clues. Same info.. More phishing.. different domains (again).. same nameservers.. hmmm..

Domain Name: SPX2K.COM
Registrar: TUCOWS INC.
Whois Server: whois.opensrs.net
Referral URL: http://domainhelp.tucows.com
Name Server: NS1.US2K.NET
Status: REGISTRAR-HOLD
Updated Date: 08-feb-2005
Creation Date: 03-feb-2005
Expiration Date: 03-feb-2006

Domain Name: TEENSJCASH.COM
Registrar: TUCOWS INC.
Whois Server: whois.opensrs.net
Referral URL: http://domainhelp.tucows.com
Name Server: NS1.TEENSJCASH.COM
Name Server: NS2.TEENSJCASH.COM
Status: ACTIVE
Updated Date: 09-mar-2005
Creation Date: 24-feb-2005
Expiration Date: 24-feb-2006

Both domains are owned by:

HANNON, LEANDRAE [email protected]
3412 Monterey
St. Joseph, AL 23412
US
+1.8162792672

This one keeps popping up:

Domain Name: US2K.NET
Registrar: YESNIC CO. LTD.
Whois Server: whois.yesnic.com
Referral URL: http://www.yesnic.com
Name Server: No nameserver
Status: REGISTRAR-LOCK
Updated Date: 16-mar-2005
Creation Date: 19-jan-2005
Expiration Date: 19-jan-2006

Contact info is familiar

Name : LeiMomi01 Design
Email : [email protected]
Address : P.O. Box 351019, Brooklyn, NY
Zipcode : 11235
Nation : US
Tel : +1.718-213-4074
Fax : +1.302-338-7956

So we end up with a couple of dodgy DNS servers. They all seem to host various domains that are connected in some way or another with phishing..

***SirDice*** · April 5th, 2005, 09:03 PM

Originally posted here by Egaladeist
seems like these guys are trying harder than the average scammer...eh?

Indeed. It doesn't look like your everyday garden variety scriptkiddie.

It does look like someone's new-years resolution.. I haven't found any domain that was registered before jan. 17th of this year.. Some resolution.. "I'm going to make money phishing in 2005"..
What the hell was s/he drinking/smoking??

**MinuteSimian** · May 23rd, 2005, 12:04 PM

Good morning all,

Noob here, I was lead to this post on this forum by following an investigation of my own into a lovely bit of spoofing/ phishing. I'm not a tech expert but I have enough know how to get me this far. Anyone want to pick up where I ran out of expertise?

I also received the Charter One bank phishing mail - and today I received an identical mail but from SouthTrust bank. Both are real banks, neither sent these emails.

The SouthTrust email dead ends with a "You do not have permission to view" page. The reported URL is http://systdll.com/.../st

I ran a Whois check on www.systdll.com and got:

05/23/05 11:51:06 whois systdll.com
.com is a domain of USA & International Commercial
Searches for .com can be run at http://www.crsnic.net/

Domain Name : systdll.com

::Registrant::
Name : James Harris
Email : [email protected]
Address : 27 Nottingham Road, Eastwood, Nottingham
Zipcode : NG16 3AD
Nation : UK
Tel : +1.718-213-4074
Fax : +1.302-338-7956

::Administrative Contact::
Name : James Harris
Email : [email protected]
Address : 27 Nottingham Road, Eastwood, Nottingham
Zipcode : NG16 3AD
Nation : UK
Tel : +1.718-213-4074
Fax : +1.302-338-7956

::Technical Contact::
Name : James Harris
Email : [email protected]
Address : 27 Nottingham Road, Eastwood, Nottingham
Zipcode : NG16 3AD
Nation : UK
Tel : +1.718-213-4074
Fax : +1.302-338-7956

::Name Servers::
name2.systdll.com
name.systdll.com

:

ates & Status::
Created Date 2005-05-15 09:22:29 EDT
Updated Date 2005-05-15 09:22:29 EDT
Valid Date 2006-05-15 09:22:29 EDT
Status ACTIVE

Which is interesting as that's what I got when I did the same thing with the Charter One email - although that now dead ends with some other information.

I post code checked the address as shown and apparently it's a branch of National Westminster Bank in Nottingham, UK.

I rang the branch and asked if they have a James Harris on their staff, or if there are any other businesses registered at that address, the answer to both questions is no but they have taken all the relevant details for their own investigation. Which is nice of them.

The other interesting thing is the email address - [email protected], type it into Google and there's a whole string of posts similar to this one that comes up. There are also some references to the same email address being used in a fake job offer scam earlier in the year. I have of course emailed it but I imagine it's just an unused inbox full of insults from other spamee's.

So whoever Mr Harris really is, he's a busy boy, obviously.

Thread: Phishing: Charter One Bank

Thread Tools

Display

Phishing: Charter One Bank

Next..

Posting Permissions