Screenshots of a Comerica phishing attack

Comerica is a financial services company headquartered in Dallas. Today we received numerous phishing spam emails trying to snatch information and token codes of Comerica users.

The phishing mail:

From: no-reply@comerica.com
Subject: Comerica Bank customer service: important security update
Date: January 22, 2009 3:25:56 PM GMT+01:00
To: ___@net-security.org

Dear Comerica Bank customer,

You have received this alerting message, as you are listed to be an Comerica Business Connect user.

We would like to inform you that we are currently carrying out scheduled maintenance of banking software, that operates customer database for Comerica Business Connect users. Customer database is based on a client-server protocol, so, in order to finish the update procedure, we need customer direct participation. Every Comerica Business Connect customer has to complete a Comerica Business Connect Customer Form. In order to access the form, please use the link below. The link is unique for each account holder and expires within a certain period of time. If you don’t fill in Comerica Business Connect Customer Form before your unique link expires, the system will automatically send you a new notification message.

http://businessconnect.comerica.com/session
-id-062/cma/portal/customerform/index.jsp?
temp-id=89797407651762939036914922181096449
7869377958224475803135441

Thank you for your cooperation. We apologize for any inconvenience brought.
Comerica Bank

Clicking the link opens a well crafted URL located in Belgian domainspace:

http://businessconnect.comerica.com.
session-id-062.mddrv.be/cma/portal/
customerform/index.jsp/index0.php

Step one – get user credentials:

Asking further information + “all fields required” check:

Getting the token code:

Share everything with the phisher:

Re-request the token:

Everything is “OK”, user gets rediected to the actual Comerica web site:

Don't miss