Section 5.7. In-Depth ExampleDirectory Listings
5.7. In-Depth ExampleDirectory ListingsThis example shows how the careful study of directory listings can uncover important clues that link a phishing site to a series of quite different scams. The trigger for this investigation was an email that appeared to come from First USA Bank, requesting that I log into their site and enter my credit card details. The link took me to a fake login page at the domain 1stusa.info, which has no connection to the real bank. The site looked like a typical phishing attempt and seemed to be of little interest, until I started looking at directory listings. The HTML source of the login page showed that the bank logo and other images were located in the /images/ directory. Entering the URL http://1stusa.info/images/ brought up an extensive directory listing, of which a small section is shown in Figure 5-4. A number of these images were used in the login page, but most were not. As the directory listing includes links to the files, I was able to see what these other images represented, which made for some extremely interesting browsing. For example, the Figure 5-4. Section of a directory listing from a phishing site file welcome.jpg was an image with the text "Welcome to International Checkbank!" and demo.jpg was a screenshot of two web forms that related to check cashing and wire transfers on a site called checkbank.com. The image fcilogo2.gif contained the logo for a different company called Financial Consortium Intl. Perhaps most revealing was the file certificate.gif, which was an image of the Delaware state business license for Financial Consortium International Asset Management, LLC, part of which is shown in Figure 5-5. Figure 5-5. Image of a fake business license I don't know what a real Delaware business license looks like, but I do know with certainty that this document is a fake. Dr. Harriet Smith Windsor has indeed served as the Delaware Secretary of State. The only problem here is that she was appointed to that office in June of 2001, more than two years later than the date given in this document! There was clearly something very fishy going on with this site. Running the names of these businesses through Google shows that this is the just the tip of the iceberg. The people involved in this phishing scam have been linked to a series of check-cashing scams . These operate by persuading victims to cash checks that the operator sends them in return for a percentage commission. The victim cashes a check and immediately wires the money to the operator. The commission is never sent and the checks turn out to be stolen or counterfeit, leaving the victim owing the bank the full amount that was withdrawn. This particular ring has been extremely busy and has attracted quite a lot of attention (http://financialcrimestaskforce.com/internationalwire.html). They have used a number of domains as cover for their scam, including purexian.biz, nextdayfinance.org, and checkbank.biz. As one site gets closed down they move on to another one. None of these sites is operational today. Phishing web sites tend to be closed down quickly by the banks that they impersonate. But sites for these check-cashing schemes can stay around for a while, recruiting potential victims, before they commit their fraud. That longer lifespan means that they may have been copied to the Internet Archive. That is the case with two of these three sites. The Wayback Machine has a version of http://checkbank.biz dated April 12, 2004, that explains the scheme to potential victims. By May 18, 2004, this has been replaced by an "Account Suspended" notice from their ISP. The scheme reappeared at http://nextdayfinance.org where the archive version dated June 9, 2004 reveals the functioning site. By June 16, 2004, one week later, that site had been shut down. Were it not for the Internet Archive, that information would no longer be available. |
