06 December 2006

bank of america phish

we received this excellent bank of america.com phish today. it even got around gmail's junk email filter and thats unusual so it could be a new style...

click picture to enlarge
an easy way to tell is to run your mouse over the hyperlink while looking down toward the status bar...for instance in this phish the link looks legitimate but a second look in the status bar shows that they dont match see it begins: starlightdancestudio.com ...to make sure, next you (in firefox 2.0) right click the link and >copy shortcut > then you paste that in your trace route...

3d's traceroute truncates the url down to the domain name.
see starlightdancestudio.com is hosted by someone called ecommerce.com...its not a bank of america domain. then you forward the email complete to the abuse department and cc: reportphishing@antiphishing.org and spam@uce.gov

if you want to although theres no need to email them -- you can also use 3d's traceroute to find out who is the domain name registrar.
Process query: 'starlightdancestudio.com'
1. Step: Querying com.whois-servers.net:43 with whois.
2. Step: Querying whois.godaddy.com:43 with whois -- From: com.whois-servers.net:43 Domain Name: STARLIGHTDANCESTUDIO.COM
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
-- End -- --
From: whois.godaddy.com:43
Reply-To: wesawthat@gmail.com
From: wesawthat@gmail.com
To: abuse@ecommerce.com
Cc: reportphishing@antiphishing.org ,spam@uce.gov
Subject: Fw: Bank of America: Important Notice On Your Account Information (Re-Confirm)
Date: Wed, 6 Dec 2006 15:41:15 -0600

ECOMMERCE.COM: this spam was sent to advertise a phishing website that you host please would you terminate service to:


[message source]
click properties>details>message source>select all to copy and paste the message source to the top of your forward
click the link to read more about phishing from the anti-phishing working group