How do phishers do this? - Page 4

suzzer99 · #31 02-23-2006, 10:58 PM

One sneaky thing I have seen them do is turn off your address bar using javascript, then have an image at the top of the page that looks EXACTLY like an IE address bar, with the correct address of course. Very very sneaky. And very obvious in Firefox.

Jack of Arcades · #32 02-23-2006, 11:11 PM

yeah, IDN addresses. this one is legit though. it's very obvious if you try to change the font.

C.R.E.A.M. · #33 02-23-2006, 11:13 PM

All,

I do have a chase account, but it is with a different e-mail account. I signed in to my account through www.chase.com and this e-mail was NOT added to my account. I was scared that it was a legit email until I put williams_farder into google and found some links indicating it's a phisher, including this

This phisher is either really really smart or really really dumb.

Buccaneer · #34 02-23-2006, 11:15 PM

[ QUOTE ]
I know this is phishing and I wasn't dumb enough to click it. So then I did "right-click"->"properties" on the link, expecting to see some stupid URL, but it actually directs you to the page "https://chaseonline.chase.com/chaseonline/home/sso_co_home.jsp". Can someone explain to me how the phisher has what looks like a secure web site at a chase.com

[/ QUOTE ]

Would you mind very much to post ACTIVE links of every suspicious email you get. This way you can share the viri, keyloggers, spyware, and crap with anyone who is not as bright as you Skippy

C.R.E.A.M. · #35 02-23-2006, 11:19 PM

Here's another email I got from the exact same email address ([email protected]), on the same day, a whole 3 minutes after I got the first e-mail about williams_farder!

[ QUOTE ]
Dear Chase Manhattan's Bank Client,

This is your official notification from Chase Manhattan Bank that the service(s)

listed
below will be deactivated and deleted if not renewed immediately.
Previous
notifications have been sent to the Billing Contact assigned to
this account. As
the Primary Contact, you must renew the service(s) listed
below or it will be
deactivated and deleted

SERVICE: Chase Manhattan Bank Online
Banking MasterCard®
SecureCode™

EXPIRATION: Feb 9 2006

https://chaseonline.chase.com/chaseo...so_co_home.jsp

Sincerely,

Chase Manhattan
Bank Account Review Department.

================================================== ==============
IMPORTANT CUSTOMER SUPPORT INFORMATION

================================================== ==============

Need help? Use "Site Helper" or call customer service at 1.800.788.7000.

Please do not "Reply" to this Alert.

©2005 Chase Manhattan Bank Financial Group. All rights reserved.

[/ QUOTE ]

The link in this email also goes to the chase.com web site, exactly how it says.

This is definitely NOT from chase, but I'm still not sure if this guy can gather your information from that link, or if he is just an idiot who screwed up.

suzzer99 · #36 02-23-2006, 11:30 PM

Maybe he's setting you up to trust these emails, then he's gonna slip a fast one on you in a week by changing the URL just a teeny bit.

mrkilla · #37 02-23-2006, 11:38 PM

[ QUOTE ]
jman,

my question was more about the ability to register the website with the people who make websites = IP addresses. domain name servers or whatever. ya know what im sayin?

warik,

well i agree that there are "quite a number of differences," but there are a shitload of similarities as well, which would lead me to be suspicious before i was trusting.

that being said, i think your research is solid and the page is legit.

yasher

[/ QUOTE ]

Ok Hopefully I can help you all here.
Firstly, if you ever get a bank email, um CALL THE BANK, I once was called because someone "stole my credit card" I didnt believe it I ran them through a ringer, sure enough my CC was stolen (number anyway) but you always verify.

Your computer Questions:
If you own or register a domain name like www.youradumbass.com you have control over this. You tell the DNS holders (usually the registrar for smaller stuff) where you want people to go (the IP) and they post it and the worlds DNS servers now say "Ok www.youradumbass.com goes to 127.0.0.1) The only way to change where this points is to change it on the DNS server where its hosted. Or to take over the DNS hosting for the site which would mean you have to be a registrar (which is almost impossible to be)

Here read this DNS explained

Simply a hacker can't take over the case domain name easily.

So Whats going on here?

info on the trojan

Edit to add this: you can also check the email it self and where it came, verify the , all email has a route it goes through make sure it came from a chase server. It's in the email properties

JJ97 · #38 02-24-2006, 11:46 AM

More than likily they are exploiting a Cross Site Scripting Vulnernablity in chase.com.

Google Cross Site Scripting or XSS for more info...

bisonbison · #39 02-24-2006, 01:09 PM

[email protected]

Underscores aren't legitimate characters in Gmail account names. Other than that I have no opinion.

mrkilla · #40 02-24-2006, 01:15 PM

[ QUOTE ]
[email protected]

Underscores aren't legitimate characters in Gmail account names. Other than that I have no opinion.

[/ QUOTE ]

I guess your not so useless after all