Regions Bank Phish

[MrLinus]

I got the following email with the subject of WARNING: CONFIRM YOUR ONLINE BANKING ACCOUNT (obvious phish)

Dear client of Regions Bank,

Technical services of the Regions Bank are carrying out a planned software upgrade. We earnestly ask you to visit the following link to start the procedure of confirmation on customers data.

To get started, please click the link below:

https://online.regions.com/ibsregion...lt/confirm.cfm

This instruction has been sent to all bank customers and is obligatory to fallow.

Thank you,

Customers Support Service.

What I found interesting is that the true source -- hxxp://www.m4r0c4n.com/REGIONS/user.htm -- doesn't have a registry listing (??). The pertinent header info indicates NL (Netherlands) and FR (France) as the source:

Received: from 62.193.214.56 (vds-348840.amen-pro.com [xx.yy.xx.yy])
by mailhub.xxx.net (Postfix) with SMTP id 464C62B691D
for <[email protected]>; Sun, 17 Apr 2005 09:33:14 -0400 (EDT)
Received: from 212.80.144.5 by ; Sun, 17 Apr 2005 16:24:27 +0200

So, any ideas why it doesn't appeared registered?

[Egaladeist]

Hi MsMittens,

Someone else here got the same thing...this is one of the links I posted there...

http://www.millersmiles.co.uk/report/210
YOUR REGIONS BANK ACCOUNT - Regions Bank 'Scams' - millersmiles.co.uk


EDIT: http://www.antionline.com/showthread...hreadid=267560
AntiOnline - Pissing my BSD boxers with laughter


I know that one scam had set up a bank page identical to the real one and somehow got people to go to their site from the real site...I think I posted the links in SirDice's Chapter One Bank thread. Could it be the site you suspect is a copy?

Eg

[GONEin62nd]

Hi!

https://online.regions.com/ibsregion...lt/confirm.cfm

- Firstly, I get a message on Firefox (1.0.3) - "The connection to online.regions.com has terminated unexpectedly. Some data may have been transferred". In IE, "cannot find server, The page cannot be displayed". It is down I think.

Well, I have been receiving this Regions Bank scam almost daily with my regular yahoo account. Even if I already report it as spam, I still received it from time to time. Now, I used a different e-mail account (and provider) just to avoid such spam.


62.193.214.56 - some company named Plesk:

This is the Plesk™ default page

If you see this page it means:

1) hosting for this domain is not configured
or
2) there's no such domain registered in Plesk.

For more information please contact @adminemail@.

212.80.144.5 - Network Error

Network Error (tcp_error)

A communication error occurred: "Operation timed out"
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.

For assistance, contact your network support team.

The pertinent header info indicates NL (Netherlands) and FR (France) as the source:

Using RIPE.net:
212.80.144.5 - SPAIN
62.193.214.56 - FRANCE


FYI, I think this link leads to the REAL Regions Bank - http://www.regions.com/personal_home.shtml -

*And the REAL link that the SCAM SITE copied - https://secure.regionsnet.com/EBanki...faultAffiliate

And one more observation, almost all the link in the scam site (aside from the login link) links back to the REAL site to show it's legit. OLD PHISHING...

Lastly, digging further, you may also want to check other pages inside the source of the scam link - hXXp://www.m4r0c4n.com/REGIONS/measures.htm

THIS IS THE SECRET - from the source - hXXp://www.m4r0c4n.com/REGIONS/user.htm

Code:

name="logonForm" method="POST" action="signon.php" onsubmit="if (this.disabled) return false;

It is really nice and fun digging some!

-GONE

[GONEin62nd]

hXXp://www.m4r0c4n.com - yeah, I cannot find it both in INTERNIC and RIPE.

m4r0c4n

- Sounds Moroccan.

-GONE

__________________
an"to*nym (noun) [Greek: a word used in substitution for another]
A word of opposite meaning ; a counter-term ; used as a correlative of synonym
- Dr. Gung-ho