A spoofed Web site that bears a close resemblance to the legitimate Internal Revenue Service Web page was recently encountered by the Trend Micro Content Security Team. Distributed through spam, the phishing URL http:// {BLOCKED}xxx.javabien.fr/, can be seen in the status bar when the cursor is hovered over the visible link as well as when the email is viewed via a text editor such as Notepad.
Figure 1 Sample of spam containing link to phishing site
The phishing site displays a message telling users that they are eligible to receive a tax refund of a specific amount. But here comes the interesting part: the user is then asked to select the bank to where the supposed “tax refund” will be credited through a drop-down menu that is displayed in the page.
Figure 2 Screenshot of phishing site
Upon selecting a certain bank, the user will then be redirected to a spoofed login page of whichever bank they had chosen. Below are screenshots of spoofed login pages from the said list:
Figure 3 Spoofed Bank of America login page
Figure 4 Spoofed Capital One login page
Figure 5 Spoofed Wachovia login page
All spoofed login pages of course prompt the user to enter their account credentials. This is a really clever attack; phishers are now making the users unknowingly choose for themselves which phishing attack will apply to them.
URLs of all phishing sites are now blocked by the Trend Micro Smart Protection Network.