register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

SouthTrust- 'Important Secuity Issue !!!'
09-May-2005

Summary
Email title: 'Important Secuity Issue !!!'
Scam target: SouthTrust customers
Sender:

onlinebanking@southtrust.com
Sender spoofed/hidden? Spoofed
Scam goal: Getting victim's credit card information, bank account number
Phish link method: URL link
Link 'masked'? Yes
Visible link: https://southtrustonlinebanking.com/retail/
Actual link to: http://itcare.co.kr/data/.SouthTrust/index.html
Phish site IP:

61.75.15.77
 
Analysis contributed by: Tumbleweed Communications - Message Protection Lab
 
Overview
 
A typical 2-stage (a pseudo login and a main page) phish.
 
E-mail
 
The email is quite well designed. It features some legit SouthTrust attributes - a logo and a somewhat legit header and footer:
 
 
The sender is well spoofed, and the link is hidden. The policy described is urging, but not threatening - it could be persuasive.
 
Web Site
Visible link: https://southtrustonlinebanking.com/retail/
Actual link to: http://itcare.co.kr/data/.SouthTrust/index.html
Phish site IP:

61.75.15.77
 

When the phish site opens up, it looks almost exactly like the legitimate login page. However, a few important clues can be noticed:

  • The suspicious URL in the address bar - it is not hidden with any tech tricks;
  • The HTML errors in rendering the page - something unlikely in an official bank's login screen;
  • The absence of a 'lock' icon in the status bar, indicating a secure, HTTPS session (despite the Verisign logo displayed):
 
 

Any combination of letters and numbers will be accepted as a username or password - the site has no way to check them.

After the so called 'login', the main phish page (the one asking for the CC and bank account information) opens up:

 
 

The same clues, spotted on the first page can be seen here.

The site would not attempt to verify the data entered in any manner - it will accept anything, as soon as the fields are not empty.

After that, the browser is redirected to the legitimate site's privacy policy page:

 
 
The phish site is hosted on a server in Korea:
 
WHOIS data (for IP 61.75.15.77) :

Domain Name : itcare.co.kr
Registrant : ITCare. Co. LTD
Registrant Address : Guro-dong, Guro-gu, Seoul, Republic of Korea 1102 Ace Techno Tower, 212-1
Registrant Zip Code : 152050
Administrative Contact(AC): Lee Hyeong Jun
AC E-Mail : junlh1210@empal.com
AC Phone Number : 02-858-4141
Registered Date : 1999. 07. 02.
Last updated Date : 2004. 08. 18.
Expiration Date : 2005. 10. 15.
Publishes : Y
Authorized Agency : INAMES(the "I" stands for "Internet") Co., Ltd. (http://www.inames.co.kr)

Primary Name Server
Host Name : ns.itcare.co.kr
IP Address : 61.75.15.77

Secondary Name Server
Host Name : ns2.itcare.co.kr
IP Address : 61.75.15.77