register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

M&I Marshall & Ilsley Bank- 'Banking Online customer Report'
25-Jan-2005

Summary
Email title: 'Banking Online customer Report'
Scam target: M&I Marshall & Ilsley Bank customers
Sender:

M&I Marshall Rewiew Account Service <alert066794@mibank.com>
Sender spoofed/hidden? Spoofed
Phish 'punch line' : 'Please verify your account parity to given email'
Scam goal: Getting victim's ATM/debit card information, mibank.com username/password
Phish link method a 'click here' type link
Link 'masked'? Yes
Visible link: 'Login to Online Account' link
Actual link to: http://www.payterm.com/alert.html
Redirects to: http://168.188.99.111/cib/login.jsp
Phish website IP:

168.188.99.111
 
E-mail
 

This recent phish attack illustrates the tactic of using unsophisticated schemes against new targets, counting on the low user awarenes.

The phish message is well designed, and uses the typical phish tricks - a spoofed sender and a 'hidden' link:

 
 
Web Site
Actual link to: http://www.payterm.com/alert.html
Redirects to: http://168.188.99.111/cib/login.jsp
Phish website IP:

168.188.99.111
 

The link in the email initially opens a page on payterm.com (a spammy looking site), which redirects to the real phish site.It looks almost exactly like the M&I login page, yet wit ha couple of differences:

  • The address bar lists a URL thet has nothing to do with M&I;
  • The status bar does not show a lock icon, indicating a secure session. This is also visible in the address bar - the URL does not start with 'https' but with 'http':

 

 
 
And the status bar:
 
 
After 'logging in' the phish site will demand your personal information. The two weaknesses noted above are still visible:
 
 
The site will accept whenever data, unlike the more sophisticated phish, that will try at least a first step of validation. Then, a logout page opens:
 
 

This page has the sole purpose of throwing sand in the victim's eyes. A few seconds later, the browser is redirected to the legitimate M&I site - mibank.com.

This scam resides on a server in the Republic Of Corea:

 

WHOIS information (for IP 168.188.99.111):

Server location : Korea, Republic Of - Chungnam National University Or/gName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU ReferralServer: whois://whois.apnic.net NetRange: 168.188.0.0 - 168.188.255.255
CIDR: 168.188.0.0/16
NetName: APNIC-ERX-168-188-0-0
NetHandle: NET-168-188-0-0-1
Parent: NET-168-0-0-0-0
NetType: Early Registrations, Transferred to APNIC
Comment: This IP address range is not registered in the ARIN database.
Comment: This range was transferred to the APNIC Whois Database as
Comment: part of the ERX (Early Registration Transfer) project.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2003-08-20
Updated: 2003-08-20 OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100