Deutsche Bank AG Phish (Several Variants)

Started by Oldfrog, December 06, 2005, 04:36:33 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Oldfrog

There seems to be a major effort underway to phish Deutsche Bank AG customers through fraudulent emails.  I have collected a large number of these in the last few days which utilize a variety of subjects, From addresses, and target URLs.  All have certain features in common including:

    - IP Address as part of the URL

    - Use of non-standard port (680)

    - All target URLs have been IP addresses followed by port and appended with /rock/d/

    - No use of SSL and the sites do not have valid third party SSL certificates

    - Geographic Mismatch (Target URLs are in the Republic of Korea)

    - The sites attempt to spoof the IE address bar through javascript.  The script is detected by NAV as the js.stealus virus

    - The email body consists of a .gif image transmitted in base64 encoding which is mapped to become one large clickable link to the target URL.

At this point in time all the target URLs that I have seen are being blocked by the Netcraft Toolbar, several by PhishGuard, FraudEliminator and CallingID warn on all, and TrustWatch reports them as 'Untrusted'.
Site Admin: SpywareWarrior
Site Admin: TechForums
Spyware Host: CastleCops

Eric the Red

Oldfrog,

Thanks for that. If you get any more of these would you please consider submitting them at millersmiles.co.uk, they seem to be lacking this particular scam  :thumbsup:
"The time to start running is around about the "e" in "Hey, you!" "

Oldfrog

I can do better than that, Eric.  I can submit all that I have seen so far.  I make it a habit to archive all the ones that I get just in case I need to go back and do further analysis.

Edit:  Just sent them 7 variants; all contain the same image but vary by subject, target URL, and originator
Site Admin: SpywareWarrior
Site Admin: TechForums
Spyware Host: CastleCops

Jason

Oldfrog,

Great job mate! :thumbsup:
Sometimes I'm said to be a bit of a squirrel (i.e. saving data) but archives are a bless. 8)
In a perfect world, spammers would get caught, go to jail, and share a cell with many men who have enlarged something, taken Viagra and are looking for a new relationship.

Oldfrog

Indeed they are.  I save installers as well.

Got another variant of this phish this morning with a target URL served out of Turkey.  Saw one yesterday from South America as well.  These things are all over the place.

As an aside, I wanted to grab the source code from one of the sites and made the mistake of turning off the AV while opening it in Firefox.  Any attempt to close the tab resulted in the spawning of two more pointing to the same URL.  Finally had to just close FF to break the chain.  It also won't allow any editing, copying, or pasting in the address bar while it is open (either FF or IE).
Site Admin: SpywareWarrior
Site Admin: TechForums
Spyware Host: CastleCops

Eric the Red

Quote from: Oldfrog on December 09, 2005, 05:36:15 AM
I can do better than that, Eric.  I can submit all that I have seen so far.  I make it a habit to archive all the ones that I get just in case I need to go back and do further analysis.

Edit:  Just sent them 7 variants; all contain the same image but vary by subject, target URL, and originator

Thanks for doing that, Oldfrog. Whilst I am not in anyway connected with Millersmiles I think that it is one of the best phishing resources on the 'net and it will continue to get better if we all support it - phishing is an evil practice and deserves to be stamped on and Millersmiles helps to educate the unwary  :soapboax:
"The time to start running is around about the "e" in "Hey, you!" "