PNC Bank Phishing Attack!

21 06 2010

The MS Team just came across  a new Email Phishing spoofing the PNC Bank!The PNC phishing email will route you to the spoofed PNC Bank site so they can steal your banking info.  The Phishing email tells you to restore your account!  The Spoofed Site will steal your banking info and  even send you a nice Trojan and Key-logger to capture all your personal data.

PNC is a highly diversified and growing financial services organization spanning the retail, business and corporate markets.

PNC Bank Targeted attack: hxxp://www.pnc-client155r22.com.

The site is associated with the BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD registrar which is known harbor the Pharma Scam, Fake Software and Fake Rolex Sites.


<PNC Phish Sample>

From: PNC Bank [mailto:Alert@pnc.com]
Sent: Saturday, June 19, 2010 9:51 AM
To: <Joe SixPack>
Subject: Notice – Pnc

Dear PNC customer,

Protecting the security of our customers and the PNC, as a preventative measure, we have temporarily limited access to sensitive account features. Please take the following steps to ensure that your account has not been compromised and restore your account: “h–p://www.pnc-client155r22.com”

2010 PNC and Co, Inc. All rights reserved. Member SIPC (2009-4236090)

Malware Links h–p://www.pnc-client155r22.com/ http://www.pnc-client155r22.com/ Seite h–p://www.pnc-client155r22.com/ wird ge.ffnet ?O

Site Analyzed:  pnc-client155r22.com

DNS Traffic:

  • 62.195.178.192
  • 68.46.69.82
  • 68.200.237.228
  • 71.91.55.167
  • 79.113.200.203
  • 82.5.87.226
  • 82.143.216.151
  • 88.85.8.98
  • 98.175.109.22
  • 99.26.91.159
  • statse.webtrendslive.com <– Tracking cookies!
  • 208.92.236.82

Malicious HTTP Traffic:

Request: [ GET /images/Conversion495x159WelcomeNatCityV2.swf ], Response: [ 200 “OK” ]
From  1051 to 62.195.178.192:80 – [ http://www.pnc-client155r22.com ]
Request: [ GET /images/Requester_003.jpg ], Response: [ 200 “OK” ]
From ANUBIS:1052 to 62.195.178.192:80 – [ http://www.pnc-client155r22.com ]
Request: [ GET /images/Requester_002.jpg ], Response: [ 200 “OK” ]
From ANUBIS:1053 to 62.195.178.192:80 – [ http://www.pnc-client155r22.com ]
Request: [ GET /images/Requester_004.gif ], Response: [ 200 “OK” ]
Request: [ GET /dcsx2yobi00000w45we0xdcvj_6x2g/wtid.js ], Response: [ 200 “Ok” ]

About these ads

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Follow

Get every new post delivered to your Inbox.

%d bloggers like this: