A phishing email uses a novel-sounding concept that can sound alarming enough to get unsuspecting users to click on the available links and land themselves in danger.

Trend Micro Content Security team recently came across a Bank of America phishing site which shows users that their online accounts are recently “logged on from an unregistered computer using a foreign IP without an International Access Code (IAC).” Here’s a screenshot:

Figure 1. Newly discovered page warning the user of a possible intruder attempt at accessing his/her accounts.

When the verification link is clicked, the page opens a new window containing the phishing page. Users who have fallen for the breach alert will be more than willing to enter their credentials into the login page which, of course, turns out to be absolutely fake. Here is a screenshot of the phishing page:

Figure 2. The verification link in Figure 1 leads to this Bank of America phishing page.

A familiar but still effective phishing technique lends a false sense of credibility to this attack: the use of address bar spoofing to hide the real phishing URL. As seen in the screenshot below, checking the Properties of the phishing page (by right-clicking anywhere on the phishing page and then clicking Properties) shows that the real URL is different from that displayed in the URL address bar.

Figure 3. The URL of the phishing page in Figure 2 is fake. Here we see the real phishing URL in the page’s Properties section.

Users are reminded that banks have never been known to register their clients’ computers to their online banking systems. Although we have yet to see specific spam messages pointing to the site in Figure 1, an attack leveraging these made-up sites will not be too long in coming. Trend Micro Smart Protection Network already blocks this phishing Web site.

A spoofed Web site that bears a close resemblance to the legitimate Internal Revenue Service Web page was recently encountered by the Trend Micro Content Security Team. Distributed through spam, the phishing URL http:// {BLOCKED}xxx.javabien.fr/, can be seen in the status bar when the cursor is hovered over the visible link as well as when the email is viewed via a text editor such as Notepad.

Figure 1 Sample of spam containing link to phishing site

The phishing site displays a message telling users that they are eligible to receive a tax refund of a specific amount. But here comes the interesting part: the user is then asked to select the bank to where the supposed “tax refund” will be credited through a drop-down menu that is displayed in the page.

Figure 2 Screenshot of phishing site

Upon selecting a certain bank, the user will then be redirected to a spoofed login page of whichever bank they had chosen. Below are screenshots of spoofed login pages from the said list:

Figure 3 Spoofed Bank of America login page

Figure 4 Spoofed Capital One login page

Figure 5 Spoofed Wachovia login page

All spoofed login pages of course prompt the user to enter their account credentials. This is a really clever attack; phishers are now making the users unknowingly choose for themselves which phishing attack will apply to them.

URLs of all phishing sites are now blocked by the Trend Micro Smart Protection Network.