Author Topic: Deutsche Bank AG Phish (Several Variants)  (Read 8797 times)

0 Members and 1 Guest are viewing this topic.

Offline Oldfrog

  • Visiting Experts
  • Jr. Member
  • *****
  • Posts: 12
    • View Profile
    • Decker Technology
Deutsche Bank AG Phish (Several Variants)
« on: December 06, 2005, 02:36:33 PM »
There seems to be a major effort underway to phish Deutsche Bank AG customers through fraudulent emails.  I have collected a large number of these in the last few days which utilize a variety of subjects, From addresses, and target URLs.  All have certain features in common including:

    - IP Address as part of the URL

    - Use of non-standard port (680)

    - All target URLs have been IP addresses followed by port and appended with /rock/d/

    - No use of SSL and the sites do not have valid third party SSL certificates

    - Geographic Mismatch (Target URLs are in the Republic of Korea)

    - The sites attempt to spoof the IE address bar through javascript.  The script is detected by NAV as the js.stealus virus

    - The email body consists of a .gif image transmitted in base64 encoding which is mapped to become one large clickable link to the target URL.

At this point in time all the target URLs that I have seen are being blocked by the Netcraft Toolbar, several by PhishGuard, FraudEliminator and CallingID warn on all, and TrustWatch reports them as 'Untrusted'.
Site Admin: SpywareWarrior
Site Admin: TechForums
Spyware Host: CastleCops

Offline Eric the Red

  • ISO/IEC 27001:2013
  • Administrator
  • Hero Member
  • *****
  • Posts: 1618
  • Would somebody please pass me a beer!
    • View Profile
Re: Deutsche Bank AG Phish (Several Variants)
« Reply #1 on: December 07, 2005, 09:01:05 PM »
Oldfrog,

Thanks for that. If you get any more of these would you please consider submitting them at millersmiles.co.uk, they seem to be lacking this particular scam  :thumbsup:
"The time to start running is around about the "e" in "Hey, you!" "

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Oldfrog

  • Visiting Experts
  • Jr. Member
  • *****
  • Posts: 12
    • View Profile
    • Decker Technology
Re: Deutsche Bank AG Phish (Several Variants)
« Reply #2 on: December 09, 2005, 03:36:15 AM »
I can do better than that, Eric.  I can submit all that I have seen so far.  I make it a habit to archive all the ones that I get just in case I need to go back and do further analysis.

Edit:  Just sent them 7 variants; all contain the same image but vary by subject, target URL, and originator
Site Admin: SpywareWarrior
Site Admin: TechForums
Spyware Host: CastleCops

Offline Jason

  • Sr. Member
  • ****
  • Posts: 321
  • The Onomatopoetic
    • View Profile
Re: Deutsche Bank AG Phish (Several Variants)
« Reply #3 on: December 09, 2005, 04:32:02 PM »
Oldfrog,

Great job mate! :thumbsup:
Sometimes I'm said to be a bit of a squirrel (i.e. saving data) but archives are a bless. 8)
In a perfect world, spammers would get caught, go to jail, and share a cell with many men who have enlarged something, taken Viagra and are looking for a new relationship.

Offline Oldfrog

  • Visiting Experts
  • Jr. Member
  • *****
  • Posts: 12
    • View Profile
    • Decker Technology
Re: Deutsche Bank AG Phish (Several Variants)
« Reply #4 on: December 09, 2005, 05:43:17 PM »
Indeed they are.  I save installers as well.

Got another variant of this phish this morning with a target URL served out of Turkey.  Saw one yesterday from South America as well.  These things are all over the place.

As an aside, I wanted to grab the source code from one of the sites and made the mistake of turning off the AV while opening it in Firefox.  Any attempt to close the tab resulted in the spawning of two more pointing to the same URL.  Finally had to just close FF to break the chain.  It also won't allow any editing, copying, or pasting in the address bar while it is open (either FF or IE).
Site Admin: SpywareWarrior
Site Admin: TechForums
Spyware Host: CastleCops

Offline Eric the Red

  • ISO/IEC 27001:2013
  • Administrator
  • Hero Member
  • *****
  • Posts: 1618
  • Would somebody please pass me a beer!
    • View Profile
Re: Deutsche Bank AG Phish (Several Variants)
« Reply #5 on: December 10, 2005, 07:46:18 PM »
I can do better than that, Eric.  I can submit all that I have seen so far.  I make it a habit to archive all the ones that I get just in case I need to go back and do further analysis.

Edit:  Just sent them 7 variants; all contain the same image but vary by subject, target URL, and originator

Thanks for doing that, Oldfrog. Whilst I am not in anyway connected with Millersmiles I think that it is one of the best phishing resources on the 'net and it will continue to get better if we all support it - phishing is an evil practice and deserves to be stamped on and Millersmiles helps to educate the unwary  :soapboax:
"The time to start running is around about the "e" in "Hey, you!" "

The information I provide is provided "AS IS" without warranty, and confers no rights.