Washington Mutual: fraud verification process

From CastleCopsWiki

Category: Financial Institution

Purpose: Obtain Account Details for Fraudulent Purposes; Possible Identity Theft

Delivery Mechanism: Text/HTML Email with BCC Addressees; Subject: Washington Mutual: fraud verification process

Origination Date: Sun, 09 Jan 2005 03:52:11 -0600

Social Engineering: Purports to be routine process to avoid alarm; Purports to be an obligatory process

Target Mechanism: Fraudulent Web Site

Obfuscation:
1) Body of Email consists of a base64 encoded .gif graphic mapped to be a clickable link to the fraudulent web site. (Explanation)
2) Communication to the target web site is established using a non-standard port for purposes of camoflage. (Explanation)

Message:
http://www.geocities.com/froghome2003/fraud/wamu1.png

Analysis: This exploit exhibits the following suspicious characteristics:
1) Awkward grammatical constructs
2) Target URL contains an IP address rather than the legitimate domain name used by the institution
3) Communication uses a non-standard port number
4) Communication does not use Secure Socket Layer (SSL) encryption

Keywords: Washington Mutual, WAMU, planned software upgrade, confirmation of customers' data, obligatory to follow

References:
[1] Detailed Analysis
[2] TrendMicro threat definition for HTML_WAMUFRAUD.A