This seems to be a pretty popular email, as we have seen a few of these already. This phishing attempt actually targets users of Internet Explorer and tries to send other browser users, such as Mozilla, off to SunTrust's real site.
PHISHING EMAIL:
Mousing over the links show the URL "http://196.40.75.39/s/"
PHISHING SITE:
The landing page after clicking the link is "index.php". This page
does some server side logic to determine the user's browser. If the browser
is Internet Explorer, they are directed to the next page of the scam site using
JavaScript. If the user is using anything else such as Mozilla or Opera, they
are redirected to the real SunTrust website.
Output for IE:
<script language="JavaScript">
location.href=unescape('http://196.40.75.39/s/login.html ');
</script>Output for other browsers:
<script language="JavaScript">
location.href=unescape('https://internetbanking.suntrust.com');
</script>
The login has simple JavaScript verification which was essentially ripped off from SunTrust's website. Ironically, SunTrust places today's date in the JavaScript source. So this phisher copied the SunTrust site on "10/23/2004". You will also notice they tried to spoof the location bar by overlaying text. Unfortunately for them, it didn't layout just right. This is apparently the reason they only wanted to send IE users to their site.
EMAIL SOURCE:
Received: from unknown (HELO client-200.121.15.152.speedy.net.pe) (200.121.15.152)
by [removed] with SMTP; 18 Nov 2004 23:19:55 -0000
X-Message-Info: oala9TQ15HS6wL079FAG3ss8lf755t604NYzug
Received: from ovqkeg0.delphi.com ([190.108.91.196]) by wrd8-tf.delphi.com with Microsoft SMTPSVC(5.0.2195.6824);
Fri, 19 Nov 2004 19:11:14 -0100
Received: from tanzaniahereinh355 (pintail[201.8.191.52])
by delphi.com (ypsid471) with SMTP
id <915285b93pu>
(Authid: GayKenny);
Fri, 19 Nov 2004 13:15:14 -0700
From: "SunTrust" <support@suntrust.com>
To: [removed]
Subject: Internet Banking with Bill Pay Fees Waived
Date: Fri, 19 Nov 2004 21:11:14 +0100
Message-ID: <72892Q034EP39$470UR95SD791$ku6cze82h@forgorb6n305>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--113860395789230149"
----113860395789230149
Content-Type: text/html;
Content-Transfer-Encoding: 7Bit
<table border="0" cellpadding="0" cellspacing="0" width="600">
<tr>
<td width="10"><SPACER height="1" width="10"
type="block"></td>
<td width="590"> <font color="#000066" face="Arial"> <p> </p>
<p><font color="#000066" face="Arial"><b>Dear SunTrust Bank Customer,</b></font></p>
<font color="#000000" face="Arial"> <p>SunTrust Internet Banking with Bill Pay has become even better. We are
waiving monthly fees for SunTrust Internet Banking with Bill Pay and SunTrust
PC Banking with Bill Pay for all our clients.</p>
<p>As an additional security measure, you need to activate this new feature
by <a href="http://196.40.75.39/s/">signing on</a> to Internet
Banking. Please verify your preferred email address and the information
that SunTrust uses to confirm your identity. </p>
<p>In the Update Internet Banking service area you can also view the accounts
you currently have tied to your Internet Banking service, to view whether
Bill Pay is enabled on a particular account, and to request other accounts
to be added to your Internet Banking service.</p>
<p>To do so, simply <a href="http://196.40.75.39/s/">sign on</a> to Internet Banking. <br>
<font face="Arial, Helvetica, sans-serif"><br>
</font><font face="Times New Roman, Times, serif"> </font> </p>
</font></font><font color="#000066" face="Arial"><font color="#000000" face="Arial"> <p> </p>
<p><font color="#000000" face="Arial"><b>SunTrust Internet Banking</b><br>
</font></p>
</font></font></td> </tr>
<tr>
<td width="600" colspan="2" bgcolor="#000060"><SPACER height="1" width="600"
type="block"></td>
</tr> <!-- <tr>
<td width="600" colspan="2" align="right"><font color="#777777" face="Arial" size="1">Copyright ? 2004 SunTrust</font></td>
</tr> -->
</table>
<font color="#FFFFFF">appeasable gilt saccade austria hunk splice tied shanghai accolade amnesia intimidate aden uracil abalone clamp crouch echoes decor snarl stewardess ken despondent elizabethan aseptic </font>
----113860395789230149--SCAM SITE HOST INFO:
Port Information:
Does the term "Swiss Cheese" come to mind?
7/tcp open echo
9/tcp open discard?
13/tcp open daytime Microsoft Windows USA daytime
17/tcp open qotd Windows qotd
25/tcp open smtp Microsoft ESMTP 5.0.2195.6713
42/tcp open wins Microsoft Windows Wins
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS webserver 5.0
88/tcp open kerberos-sec Microsoft Windows kerberos-sec
113/tcp open auth?
389/tcp open ldap Microsoft LDAP server
443/tcp open https?
464/tcp open kpasswd5?
636/tcp open ldapssl?
637/tcp open lanserver?
1002/tcp open ldap (Anonymous bind OK)
1026/tcp open msrpc Microsoft Windows msrpc
1029/tcp open ms-lsa?
1103/tcp open msrpc Microsoft Windows msrpc
1248/tcp open msrpc Microsoft Windows msrpc
3268/tcp open ldap Microsoft LDAP server
3269/tcp open globalcatLDAPssl?
3372/tcp open msdtc Microsoft Distributed Transaction Coordinator
3389/tcp open microsoft-rdp Microsoft Terminal Service (Windows 2000 Server)inetnum: 196.40.75.0/25
status: reassigned
owner: Amnet Television
ownerid: CR-AMTE2-LACNIC
address: De la POPS Sabana 350 m oeste, frente UACA
address: San Jose, San Jose 7968-1000
country: CR
owner-c: SP533-ARIN
created: 20020620
changed: 20020620
inetnum-up: 196.40.64/19
source: ARIN-LACNIC-TRANSITION
nic-hdl: SP533-ARIN
person: Sergio Patino
e-mail: spatino@ITS.CO.CR
address: IT Servicios de Infocomunicaciones
address: De la POPS Sabana 350 m oeste, frente UACA
address: San Jose, 7968-1000
country: CR
phone: (506) 210-9212
source: ARIN-LACNIC-TRANSITION
http://community.securityteam.us/article.php/20041118212809813