By Jerry Pierce.
Give a man food, and he’ll eat for one day – teach a man to PHISH and he’ll use your credit card to live a lifetime. Well, at least until you notify your bank…
Earlier this week, Brad Antoniewicz came across a piece of spam in his mailbox that caught his attention - it was strangely professional. He offered up the e-mail to anyone in Foundstone who was curious and I choose to dive in!
Taking a look, the email itself looks fairly solid with the exception of the originating email address of “email@example.com” which should start alarm bells ringing:
If you banked with Chase you would be very alarmed at the seeming legitimacy of this email alert!
If you open the “Restore Access Form” which is attached, you get presented with a very official looking interface to what purports to be chaseonline.chase.com:
The primary reason that everything looks so legit is that the hacker is pulling the graphical images from the legitimate “chaseonline.chase.com” site.
Sharp eyed and paranoid users might notice the connection the form opened isn’t using HTTPS and that everything you enter is traversing the internet in clear text. No banking site would consider prompting you for that sort of critical financial information without safeguarding it via HTTPS.
If you “hover” of the “NEXT” button you see that instead of “http://www.chase.com” being displayed we see the true destination of any information you enter:
Hrmm... http://220.127.116.11/s/w.php looks pretty suspicious!
Following up this trail, we start by using one of the online Registries to determine the country and ownership of the IP address in question. Since we don’t know off-hand where that IP resides, we’ll query the American Registry of Internet Numbers or “ARIN” which identifies the IP address as being managed by “RIPE” for EMEA based resolution.
Once there, a “whois” lookup shows that the IP address which is receiving the credit card data is found to be part of a network block allocated to France Telecom:
So while the email looks legit and has a potentially true “ring” to it, always be suspicious and rather than just supplying this sort of information to a nameless site somewhere on the internet, contact your bank or credit card provider directly for confirmation of any problem.
The site is already down, or at least unresponsive, and a quick search for 18.104.22.168 results in this https://www.phishtank.com/phish_detail.php?phish_id=1438995 which identifies it as a phish!
So remember, don't open that attachment or click that link!
Here are a couple phishing references (courtesy of Chris Silvers):