SpamBITS

What a polite notification. I didn’t know that I have chosen this bank. I received this email few hours ago. Sometimes it is really funny to read this stuff. The email contains important information about my account and the transactions I have made. Did I click? Yes, of course. I have to check my bank information. What I found? Lets me show you.

I am working with Mozilla Firefox and it has a built-in Phishing Protection feature. When it starts to load the page a pop-up window appear informing that this is phishing web site.
Lets see the email content:

Dear Member:

Thank you for choosing BancorpSouth Management. Unfortunately there has been a
problem processing your last transfer information for the month of September,2007.

Please review our requirements at BancorpSouth account management. You will be able
to update your transfer information quickly and easily using our secure server
web form. Please understand that without promptly updating your private
information, your BancorpSouth service may be discontinued. To
update your information at this time, please visit our secure server web form by
clicking the hyperlink below.

BancorpSouth Online Services

We appreciate your business and hope to keep you as a customer for life.
BancorpSouth is so easy, no wonder it’s number 1 !

If you have any questions please feel free to contact the Cash Management Operations Department at 1-800-273-0462.

Thank you,

Ralph Price
1st Vice President
Cash Management Operations

© 2007 BancorpSouth Online, Inc. All Rights Reserved

Pointing the link with the mouse shows real URL where it goes - http://bancorpsouthonline.inview.32168266.corporate.bxs09.com/
Again we see that the first part of the address is long name bancorpsouthonline - trying to delude us that it points to real web site.
The phishing spammers use one interesting fact - in the modern world people are in a hurry and usually don’t read everything up to end. When we see that something is familiar or looks alright we skip the rest. Combining this with the fact that for the human it is enough the first an the last letter of the word to be correct. The mind do not pay much attention about what is in the middle. It (our brain) automatically comes up with the first phrase, word, object or whatever that is much similar. Also when we see a link it is like a natural instinct to click it.

If we split the address by dots we get:

• bancorpsouthonline
• inview
• 32168266
• corporate
• bxs09.com

The last one is the phishing domain bxs09.com - quite similar with the original one. All the others are sub-domains used for the delusion.

While writing this post the phishing web site was stopped. At the moment of writing if redirects to the bxs.com web site. The phishing site was online about 7 hours and a half while the phishing spam was flooding the mail boxes.

Again we have the obvious spam symptoms in the email headers:

• Return address is different from the sender:
  From: “Inview clients department” <corporatesupport@bancorpsouthonline.com>
  Reply-To: Christopher.Collins@offerbyowner.com
• The IP address from which the email was sent - 88.166.129.119 has nothing in common with the IP address of the web site bxs.com

The domain offerbyowner.com is registered but stopped at the moment. that claims to be the sender of the email or at least the one that
We do not need to get deep into headers this time. There common patterns - best spammer practices. The are still used and this means they are effective. Be careful before to click on a link in a mail. And never enter sensitive information on a web site that you reach from a suspicious email.

Hope you enjoy!