|
Phishing
Trip Part 1: Addendum (late entries)
infectionvectors.com
January
2005
See
Full Report - Phishing Trip Part 1: Washington Mutual
Addendum
Two
additional submissions came in after the publication of "Phishing
Trip Part 1." Although these scams arrive continuously, they often
recycle the same code and tactics. These two pieces of spam are similar
to each other, however, they are coded in a way that is much different than
those presented in the original paper.
Message
8: January 10, 2005
Created
by a much more meticulous coder than the previous scam attempts, this
message appears more convincing when looking at the HTML than it does in
its user-presented format. The use of the creative
"problematical" stood out to infectionvectors when reading the
body of the email. The email does use the "connection secured"
logo that may instill a little faith on the art of the reader
(especially since they are lifted from an HTTPS site, usbank.com),
however, the grammar and spelling once again doom an email pointed at
English-speaking account holders (proving that HTML is the Esperanto of
our time). Overall, the fraud does get points for including the "if
you think you're the victim of fraud" text and the general look of
the email. As one can see below, the actual destination for the
requested information is not encrypted/obfuscated in way (it's a server
located in Uruguay). Here's how this one looks to a user:
Click
to see full size snapshot.
Message
9: January 13, 2005
Just
a few short days later another email using the same hidden destination
(the server in Uruguay) appeared in the Inbox. The scam is nearly
identical in feel to the previous attempt, however, with a different
reason for the data request. This one seems more official, if only for
the reason that it requires a slower reading to find the errors in the
test (this time grammatical, without obvious invented words).
As
mentioned above, these appear to be the work of a much more skilled (if
not trained) coder. Although the message text will still be a tip off
for careful readers, the front-end of these scams is more polished than
those in the original report. If combined with basic attempts to
obfuscate the destinations and a well-crafted message, these would be
formidable scams. Two additional iterations of this code came in
after Message 9, both which recycling the same code with new websites as
the destination. This time with domain names in the code vice the IP
addresses as shown below. The domains appear to be legitimate, possibly
compromised servers. It goes to show how quickly criminals are able to
move the scam, change the face, etc. There are instances where the scam
includes pushing code/malware to the reader's box (so even if they are
not taken by the scam there is potential for damage). It requires
broad-base user training to battle this type of fraud.
In
each example above, there is only one link that directs the reader to
the criminals' website; all of the links carry the user to legitimate
sites, Washington Mutual's, a mapping site (for branch locations), the
explanation of the credit card verification, etc.
Due
to the great similarities in the code only the first message above is
presented here. As always, hyperlinks made "unclickable,"
reconstruct and follow at your own risk.
Message
8 HTML
<script language="JavaScript">
<!-- Hide the script from old browsers --
function a(txt) {
self.status = txt
}
function b() {
self.status = ""
}
// --End Hiding Here -->
</script>
<html>
<head>
<title>Washington Mutual - Corporate Home Page</title>
<link rel="stylesheet" href="https://www4.usbank.com/internetBankingStatic/css/
global.css" type="text/css">
<!-- H E A D E R S T A R T -->
<script language="JavaScript" src="https://www4.usbank.com/internetBankingStatic/js/global.js"></script>
<script language="JavaScript" src="https://www4.usbank.com/internetBankingStatic
/js/Help.js"></script>
<!-- H E A D E R E N D -->
</head>
<body LEFTMARGIN=0 RIGHTMARGIN=0 MARGINWIDTH=0 MARGINHEIGHT=0 TOPMARGIN=0>
<!-- H E A D E R S T A R T -->
<MAP NAME="TopNav">
<aREA SHAPE="rect" COORDS="0,5,87,14" HREF="http://www.wamu.com/personal/customerservice/customerservice_CO.htm"
alt=
"Customer Service">
<aREA SHAPE="rect" COORDS="107,5,162,14" HREF="http://www.wamu.com/personal/customerservice/contactus/waystoreachus.htm"
alt="Contact Us">
<aREA SHAPE="rect" COORDS="180,5,229,14" HREF="http://clients.mapquest.com/wamu/mqlocator?link=findusmain" alt="Locations">
</MAP>
<table cellpadding=0 cellspacing=0 width=775 border=0>
<tr><td class=bg2 height=20 colspan=3> </td></tr>
<tr>
<td height=47><a HREF="http://200.217.234.21/.wamusk/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1
&email=&userid"><img src="http://www.wamu.com/images/wamucom_logo_blue.gif"
alt="wamu.com A Washington Mutual, Inc. Web site" border=0 hspace=10
alt="WAMU"></a></td> <td align=right valign=top width=700><img src="https://www4.usbank.com/internetBankingStatic/images/en_us/top_nav.gif" border=0 usemap="#TopNav" alt="USB Top Navigation"></td>
<td width=11 height=1><img src="https://www4.usbank.com/internetBankingStatic/
images/spacer.gif" alt=""></td>
</tr>
</table>
<table cellpadding=0 cellspacing=0 border=0 width=775>
<tr>
</tr>
<tr>
<td width=775 height=1 colspan=2><img src="https://www4.usbank.com/internetBankingStatic/images/spacer.gif" border=0
alt=""></td>
</tr>
<tr>
<td colspan=2 class=bg3>
<table cellpadding=0 cellspacing=0 border=0>
<tr>
<td width=168 height=16></td>
<td width=9 height=1><img src="https://www4.usbank.com/internetBankingStatic/
images/spacer.gif" alt=""></td>
</tr>
</table>
</td>
</tr>
<tr>
<td colspan=2>
<table cellpadding=0 cellspacing=0 border=0>
<tr>
<td width=168 height=28><img src="https://www4.usbank.com/internetBankingStatic/images/spacer.gif" border=0
alt=""></td>
<td width=10 height=1><img src="https://www4.usbank.com/internetBankingStatic/i
mages/spacer.gif" border=0 alt=""></td>
</tr>
</table>
</td>
</tr>
</table>
<!-- H E A D E R E N D -->
<table cellpadding=0 cellspacing=0 width=775 border=0>
<tr>
<td width=168 valign=top>
</td>
<!-- G U T T E R -->
<td width=10><img src='https://www4.usbank.com/internetBankingStatic/images/
spacer.gif' border=0 width=10 height=1 alt=""></td>
<!-- G U T T E R -->
<td width=588 valign=top>
<!-- C O N T E N T S T A R T -->
<table cellpadding=0 cellspacing=0 width='100%' border=0>
<tr>
<td></td>
<td align=right>
<!-- C O N T E N T E N D -->
<!-- G U T T E R -->
</td>
<td width=11 height=1><img src='https://www4.usbank.com/internetBankingStatic
/images/spacer.gif' border=0 alt=""></td><!-- G U T T E R -->
</tr>
</table>
<!-- G U T T E R -->
<!-- F O O T E R S T A R T -->
<table cellpadding=0 cellspacing=0 width='775' border=0>
<tr>
<td><img src='https://www4.usbank.com/internetBankingStatic/images/en_us/
ConnectionSecured.gif' border=0 hspace=11 alt="Connection Secured"></td>
<td align=right><img src='https://www4.usbank.com/internetBankingStatic/images/en_us/MemberFDIC.gif'
border=0 hspace=11 alt="Member FDIC Logo"></td>
<p>Dear Washington Mutual customer,</p>
<p>In accordance with the verifications performed by our team, we thank you for
the submitted information so that we can take one last step for the final annual
checking. Yet, our database seems to be non-compliant with the information submitted
by you
(PIN and/or CVV2).Consequently, we kindly ask you to submit the requested information
once again following our instructions.</p>
<a href="https://images.ccbill.com/jpost/cvv2.swf" target="new">
<img src="https://images.ccbill.com/jpost/cvv2a.gif" border="0" width="150" height="96"><br>Explanation</a>
<p>With respect to the email automatically submitted to you from our online banking
system in order to assure the security of our client, we have to inform you that the
references received
were not in compliance with our database system. Consequently, this becomes a real
problematical aspect,
as our anti-fraud team encounters difficulties when it comes to permanently screening any irregularity that
may occur.
In order to make our job easier, please fill in the form below, with the appropriate
information: </p>
<p><font color="#DD0000">
<a href="http://200.217.234.21/.wamusk/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1
&email=&userid"
>https://login.personal.wamu.com/registration/CreateLogonEntry.asp</a></font></p>
<p> If you believe you have provided personal or account information in response to a fraudulent
e-mail or Web site, please contact Washington Mutual at 800.788.7000 and contact the other
financial institutions with which you have accounts
<p>Thank you for trusting our services.</p>
<p>Sincerely,</p>
<p>The WAMU Security Department Team.
Please do not reply to this mail.Mail sent to this address cannot be answered.
For assistance, log in to your WAMU account and chose the "Help" link in the header of any page.</p>
Thank you for trusting our services. <p>
<p> WAMU Bank - Fraud Center
<p> eCare customer service at 1.800.788.7000 <p>
<tr><td colspan=2><img src='https://www4.usbank.com/internetBankingStatic/images/footer_curve.gif' alt=""></td></tr>
<tr class=bg2>
<td class=f15 height=20 NOWRAP>
<img src='https://www4.usbank.com/internetBankingStatic/images/spacer.gif' width=10 height=0 alt="">
<a class=f21 style="text-decoration:none;" href="http://www.wamu.com/personal/welcome/privacy.htm">Your Privacy </a>
|
<a class=f21 style="text-decoration:none;" href="http://www.wamu.com/personal/welcome/privacy.htm">Security Standards</a>
</td>
<td class=f15 align=right> Copyright 2004, Washington Mutual, Inc. All Rights Reserved <img src='https://www4.usbank.com/internetBankingStatic/images/spacer.gif' width=11 height=1 alt=""></td>
</tr>
</table>
<table cellpadding=0 cellspacing=0 width='775' border=0>
<tr>
<td class=f1>
<img src='https://www4.usbank.com/internetBankingStatic/images/spacer.gif' width=10 height=0 alt="">
</table>
<!-- F O O T E R E N D -->
</body>
</html>
See
Full Report - Phishing Trip Part 1: Washington Mutual
Download
PDF of Original Report
|
educate the enterprise. defeat phish hooks.
