LandzDown Forum

There seems to be a major effort underway to phish Deutsche Bank AG customers through fraudulent emails.  I have collected a large number of these in the last few days which utilize a variety of subjects, From addresses, and target URLs.  All have certain features in common including:

- IP Address as part of the URL

- Use of non-standard port (680)

- All target URLs have been IP addresses followed by port and appended with /rock/d/

- No use of SSL and the sites do not have valid third party SSL certificates

- Geographic Mismatch (Target URLs are in the Republic of Korea)

- The sites attempt to spoof the IE address bar through javascript.  The script is detected by NAV as the js.stealus virus

- The email body consists of a .gif image transmitted in base64 encoding which is mapped to become one large clickable link to the target URL.

At this point in time all the target URLs that I have seen are being blocked by the Netcraft Toolbar, several by PhishGuard, FraudEliminator and CallingID warn on all, and TrustWatch reports them as 'Untrusted'.

I can do better than that, Eric.  I can submit all that I have seen so far.  I make it a habit to archive all the ones that I get just in case I need to go back and do further analysis.

Edit:  Just sent them 7 variants; all contain the same image but vary by subject, target URL, and originator

Indeed they are.  I save installers as well.

Got another variant of this phish this morning with a target URL served out of Turkey.  Saw one yesterday from South America as well.  These things are all over the place.

As an aside, I wanted to grab the source code from one of the sites and made the mistake of turning off the AV while opening it in Firefox.  Any attempt to close the tab resulted in the spawning of two more pointing to the same URL.  Finally had to just close FF to break the chain.  It also won't allow any editing, copying, or pasting in the address bar while it is open (either FF or IE).