Sherman Boyd

Today I received an email from Arizona State Credit Union. It appears my account had been locked thanks to some pesky hackers from Europe. Wait a minute … I don’t even have an account with AZSTCU!

I get these phishing scams in my email every day. Phishers try to get your account data: username/password, Social Security number, birthday, account number and so on. They usually present you with a form to fill out that looks like it is from a trusted entity, in this case your bank. When they get this information they can either act on it, or sell it on the information black market. In this case the information targeted is your AZSTCU username and password.

This one is interesting because it is geographically targeted. The attacker is looking for customers of an Arizona Credit Union instead of a national or worldwide organization. He/she could have linked my web page to Arizona and harvested my email there. Here is the text of the email:

From: “azstcu.org”
Subject: Arizona State CU Important Update
Date: Wed, 3 Oct 2001 02:59:57 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081

Dear Arizona State CU Member,

We regret to inform you that we had to lock your account access because
we have reasons to believe that it may have been compromised by outside
parties.

During the last four weeks Arizona State CU system was attacked by scam artists and many
accounts were compromised during this action. The attack started from Europe
and Arizona State CU is working hard to track the scam artists. This is the reason to update
our database for a saver enviroment for our clients. A scam artist can`t send you
phising emails anymore because they don`t have access to your email adress anymore.

In order to protect your sensitive information, we temporarily suspended
your account access.
To reactivate your account access and confirm your identity by
completing the secure form what will appear please follow the link bellow

http://secure-azstcu.org

This is a security measure that will ensure that you are the only person with
access to the account.
Thank you for your time and consideration in this matter.

——————————————————————————–

Please do not reply to this message. For any inquiries, contact Customer Service.

Document Reference: (4137643).

Arizona State CU N.A. Member FDIC. Equal Housing Lender.
Copyright ? 2006 Arizona State CU FCU Bank, N.A. All rights reserved.

http://secure-azstcu.org

There are clues to it’s fraudulent origin. To begin with the “From address” is “From: “admin@register.com”, not a AZSTCU address! The link they give you isn’t really an AZSTCU address either, it’s cleverly made out to look like one. “secure.azstcu.org” would be an actual address, “secure-azstcu.org” is an entirely different domain. The and grammar and spelling errors help give it away as well.

The link to to http://secure-azstcu.org displays a simple logon:

Enter any username and password and it displays a form prompting for even more information:

There are more clues in the header.

X-Gmail-Received: 91d5f32a32113b679ea9cd7bbfb736b41a0030d7
Delivered-To: sherman.boyd@gmail.com
Received: by 10.66.240.9 with SMTP id n9cs149804ugh;
Mon, 2 Oct 2006 06:38:43 -0700 (PDT)
Received: by 10.35.119.8 with SMTP id w8mr12529347pym;
Mon, 02 Oct 2006 06:38:17 -0700 (PDT)
X-Forwarded-To: sherman.boyd@gmail.com
X-Forwarded-For: sherman@twocell.com sherman.boyd@gmail.com
X-Gmail-Received: d548ce57f0a7b32ea1114dcfe2e555b5588c55a4
Delivered-To: sherman@twocell.com
Received: by 10.35.44.15 with SMTP id w15cs321707pyj;
Mon, 2 Oct 2006 06:38:15 -0700 (PDT)
Received: by 10.90.63.16 with SMTP id l16mr2661706aga;
Mon, 02 Oct 2006 06:38:15 -0700 (PDT)
Return-Path:
Received: from ws6-3.us4.outblaze.com (ws6-3.us4.outblaze.com [205.158.62.199])
by mx.gmail.com with SMTP id m1si5551238nzf.2006.10.02.06.38.14;
Mon, 02 Oct 2006 06:38:15 -0700 (PDT)
Received-SPF: neutral (gmail.com: 205.158.62.199 is neither permitted nor denied by best guess record for domain of admin@suzannelove.com)
Message-Id: <45211647.54ffa831.5768.2a16SMTPIN_ADDED@mx.gmail.com>
Received: (qmail 10729 invoked from network); 2 Oct 2006 13:38:01 -0000
Received: from unknown (HELO User) (admin@suzannelove.com@172.182.8.176)
by ws6-3.us4.outblaze.com with SMTP; 2 Oct 2006 13:38:00 -0000
From: “azstcu.org”
Subject: Arizona State CU Important Update
Date: Wed, 3 Oct 2001 02:59:57 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081

The return path isn’t a azstcu address either, it’s admin@suzannelove.com. The header shows the attackers SMTP server to be 172.182.8.176 .

A whois search on secure-azstcu.org provides the following:

Domain ID:D129958112-LROR
Domain Name:SECURE-AZSTCU.ORG
Created On:02-Oct-2006 13:37:29 UTC
Last Updated On:02-Oct-2006 13:37:31 UTC
Expiration Date:02-Oct-2007 13:37:29 UTC
Sponsoring Registrar:Melbourne IT, Ltd. dba Internet Names Worldwide (R52-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:D115977841045370
Registrant Name:Suzanne Lawson
Registrant Organization:Suzanne Lawson
Registrant Street1:6924 Kalanianaole
Registrant Street2:
Registrant Street3:
Registrant City:Honolulu
Registrant State/Province:HI
Registrant Postal Code:96825
Registrant Country:US
Registrant Phone:+1.2149859850
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:dasd34nn54n@yahoo.com
Admin ID:D115977841045367
Admin Name:Suzanne Lawson
Admin Organization:Suzanne Lawson
Admin Street1:6924 Kalanianaole
Admin Street2:
Admin Street3:
Admin City:Honolulu
Admin State/Province:HI
Admin Postal Code:96825
Admin Country:US
Admin Phone:+1.2149859850
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:dasd34nn54n@yahoo.com
Tech ID:D115977841045369
Tech Name:YahooDomains TechContact
Tech Organization:Yahoo! Inc
Tech Street1:701 First Ave.
Tech Street2:
Tech Street3:
Tech City:Sunnyvale
Tech State/Province:CA
Tech Postal Code:94089
Tech Country:US
Tech Phone:+1.6198813096
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:domain.tech@YAHOO-INC.COM
Name Server:YNS1.YAHOO.COM
Name Server:YNS2.YAHOO.COM

Bingo, the domain is hosted by Yahoo. The attack can be shut down by contacting Yahoo. I would suggest that AZSTCU create a web page detailing the scam and having yahoo re-point http://secure-azstcu.org to this page. I’ve contacted AZSTCU and Yahoo, so we will see what happens.