Tastier phish

One of the first things you learn when you start looking for phishing attempts is divergence between the link you see on screen and the link you see in the status bar when you mouse over it.

Weirdly, I got one yesterday that had no such divergence, but was still bogus. Some of the text, for the benefit of searchers:

Dear Comerica Bank customer,

You have received this alerting message, as you are listed to be an Comerica Business Connect user.

We would like to inform you that we are currently carrying out scheduled maintenance of banking software, that operates customer database for Comerica Business Connect users. Customer database is based on a client-server protocol, so, in order to finish the update procedure, we need customer direct participation. Every Comerica Business Connect customer has to complete a Comerica Business Connect Customer Form. In order to access the form, please use the link below. The link is unique for each account holder and expires within a certain period of time. If you don’t fill in Comerica Business Connect Customer Form before your unique link expires, the system will automatically send you a new notification message.

The language, of course, gives it away; it’s only slightly better than someone trying to imitate American legalese with no tools but a French-to-Urdu phrasebook. All it lacks is a hovercraft full of eels.

But the link, ostensibly to “businessconnect.comerica.com,” for some reason showed exactly that when I tried mousing over it in my webmail client. Perplexed, I saved it as a file on the desktop and viewed it separately; Firefox did not catch the discrepancy. (I later downloaded it through POP3, and Outlook Express was not fooled.) The only anomaly I could see in the code was that they’d set what looked like a couple of hex bytes — 3D — between “<a href=” and the beginning of the real URL.

Eventually I determined that the destination of all clicks on this link was a Mexican domain, which prompts the following response from me: “Mi aerodeslizador está lleno de anguilas.”





3 comments

  1. McGehee »

    16 July 2009 · 8:33 am

    Babelfish confirmed my suspicion. Heh.

    As for this phishing expedition, it’s frightening to think people would fall or it, and still be allowed to vote, drive a car, or handle sharp objects.

    There’s only been one time I’m aware of that a tech upgrade caused any account information loss about me by a vendor; as a result some considerable amount of billing was sent to an outdated and defunct e-mail address. When I closed my account (for other reasons) they then tried to hit me up for those billings plus late charges. I told them what you would expect me to tell them, and that was the end of it.

    It’s the vendor’s responsibility to maintain the integrity of its records — not the client.

  2. McGehee »

    16 July 2009 · 8:37 am

    …and have you run that script by Samuel L. Jackson?

  3. Kay Dennison »

    16 July 2009 · 4:37 pm

    LOL

RSS feed for comments on this post