register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Washington Mutual - 'WARNING: CONFIRM YOUR ONLINE BANKING ACCOUNT'
29-Nov-2004

Summary
Email title: 'WARNING: CONFIRM YOUR ONLINE BANKING ACCOUNT'
Scam target: Washington Mutual customers
Email format: HTML email
Sender:

Washington Mutual Security Department <account@wamu.com>
Sender spoofed? Yes
Phish 'punch line' : 'We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons.We now need you to re-confirm your account information to us. If this is not completed by December 5, 2004 , we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes.'
Scam goal: Getting victim's Washington Musual website username/password, credit card information, name&address
Phish link method a link in the HTML email
Visible link: 'Click here to verify your account'
Actual link to http://218.62.80.234/openwebmail/wamusk/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=
Phish website hosted on:

218.62.80.234
 
E-mail
 
Another phish wave consists of this scam, and some variations based on it. The most notable point in the phish message is the 'Dear...' part, in which the potential victim's email address is used (blacked out on the screenshot):
 
 

This is, obviously, an attempt to persuade the atacked person that the message comes from the legitimate source. The email address is the only information the phisher has, so it uses it.

But remember, a legitimate company will address you by the first and family name you registered with it, and not simply your email address.
 
Web Site
Visible link: 'Click here to verify your account'
Actual link to http://218.62.80.234/openwebmail/wamusk/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=
Phish website hosted on:

218.62.80.234
 
The site is well crafted, but some phishing clues are obvious - the phishy URL, the page rendering errors being the most prominent:
 
 
There is a second phish page - opened after 'login' :
 
 

The mentioned clues are apparent on this page, too.

The site uses Luhn's formula (a first step CC number verification algorhytm, which does not require connection to a CC server) to check the CC number you enter. Numbers that pass the Luhn formula test are accepted. This does not mean that the phishers have access to some CC info - this checking algorhytm is openly available.Of course, it CAN NOT verify whether this is a a real card number on its own.

After getting the information required, the phish site redirects to the legitimate wamu.com.
 
WHOIS data (for IP 218.62.80.234): inetnum: 218.62.0.0 - 218.62.127.255
netname: CNCGROUP-JL
country: CN
descr: CNCGROUP jilin province network
admin-c: CH444-AP
tech-c: WT92-AP
status: ALLOCATED NON-PORTABLE
changed: abuse@cnc-noc.net 20031016
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-JL
changed: hm-changed@apnic.net 20040301
source: APNIC