I received an email today, purportedly from SunTrust Banks, Inc. which was
actually a
phishing scam. The message had a "from" address of
"Suntrust Bank
Clicking on the link in the message opens another window where the the mark is expected to fill in the following fields:
ATM/Debit Card
PIN-code
Expiration date
CVV2 (the three-digit code on the back of a credit card)
Login Name
Password
E-mail Address
To view a snapshot of that window, click here or to view the window as activated by the HTML code, click here. Submitting the form yields a "Thank you for confirmation" message.
In Internet Explorer, when you move your cursor over the link in the email message, you see http://www.suntrust.com/personal/Checking/OnlineBanking/Internet_Banking/security.asp, which is a real SunTrust webpage, but the real URL to which you will be taken is shown below:
http://%32%30%33%2e%31%39%38%2e%32%31%30%2e%31%35%36:%38%37/%73%74/%69%6E%64%65%78%2E%68%74%6D
The author of this scam is using an obfuscated URL to make it less likely potential marks will see through the scam. Obfuscated URLs can be unobfuscated using tools provided at various websites. Putting in the above URL at http://javascript.internet.com/equivalents/url-revealer.html reveals a more intelligible URL, http://203.198.210.156:87/s/t/index.htm, which is more obviously not a SunTrust website address.
The source code for the message shows the obfuscation. The HTML code can be downloaded here.
