register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Pulse FFT- 'Confirmation- PULSE debit card electronic fund transfer'
17-Mar-2005

Summary
Email title: 'Confirmation- PULSE debit card electronic fund transfer', followed by the recipient's email address
Scam target: Pulse EFT debit card owners
Sender:

PULSE EFT Association <alerts@pulse-eft.com>
Sender spoofed/hidden? Spoofed
Scam goal: Getting victim's Pulse FFT debit card information Pulse FFT username/password
Phish link method URL link
Link 'masked'? No
Visible link: 'http://www.pulse-eft.com.fd-asp.us\/login/?...'(truncated)
Actual link to: 'http://www.pulse-eft.com.fd-asp.us\/login/?...'(truncated, same as visible link)
Phish website IP: 64.91.236.66
 
Overview
 
A cleverly made 'social engineered' scam.
 
E-mail
 

The email is in HTML format, but there is no fancy stuff in it - just the text and links(the recipient's email addres is a part of the link, thus it is blacked out):
 
 
The phish domain is well chosen, and the link is not 'hidden' - i.e. the target URL is the same as the visible one. The sender is spoofed, though.
 
Web Site
Visible link: 'http://www.pulse-eft.com.fd-asp.us\/login/?...'(truncated)
Actual link to: 'http://www.pulse-eft.com.fd-asp.us\/login/?...'(truncated, same as visible link)
Phish website IP: 64.91.236.66
 
The phish site follows the same strategy. It mimics the original site very closely, and does not use any technical deceptive techniques. The entire trick is the clever domain name.
 
 

The most significant visible weakness here is the fact that the site is not a 'https' one. And a legitimate financial institution would not demand such sensitive information over an unsecured channel.

After the debit card information is entered, a login page is displayed:

 
 
Here, a smart and effective trick is used: the login information is passed on to the legitimate site. If this information is correct, a normal login proceeds, and the victim is left with no clue of the scam that has taken place. In our case, we entered some bogus information. When it was passed to the legitimate site, no login occured:
 
 
The site itself is hosted in the US:
 
WHOIS data (for IP 64.91.236.66) :

Domain Name: FD-ASP.US
Sponsoring Registrar ENOM, INC.

Registrant Name CAROLANNE KILLMER
Registrant Address1 4 VICTORY CT
Registrant City SAGINAW
Registrant State/Province KS
Registrant Postal Code 48602
Registrant Country United States
Registrant Country Code US

Name Server NS1.GLOBALSECURESERVERS.NET
Name Server NS2.GLOBALSECURESERVERS.NET

Created by Registrar ENOM, INC.
Last Updated by Registrar ENOM, INC.

Domain Registration Date Thu Mar 17 01:05:07 GMT 2005
Domain Expiration Date Thu Mar 16 23:59:59 GMT 2006
Domain Last Updated Date Mon Mar 21 09:23:59 GMT 2005