I just received the following e-mail a few minutes ago:
From: "RaboBank"Reply-To: To: undisclosed-recipients: Subject: RaboBank Survey Dear user, This is the first Survey at RaboBank! Please participate in our survey and in exchange you will be rewarded!!! All you have to do is to answer at 8 questions , and you will receive a money bonus! Please click the link bellow : http://www.RaboBank.com/special/survey.html The survey is not only for bank customers! Thank you for your time and help !
The mail was in HTML and the link obfuscated with this one:
http://www.seaspraypools.com.au/rabosurvey/index.html
This server is hosted in Australia: Rackspace.com, Ltd. RSCP-NET-4 (NET-72-3-128-0-1) 72.3.128.0 – 72.3.255.255.
The first page is indeed the survey (based on classic questions from a bank customer support). The form submits data to test.php. Then, a second page is display asking to give some personal information to benefit of the $80 reward and submit them to profile.php:
The funny part is in the meta tags:
<META content="Keith Colgan - SeniorClicker.com" name=Author> <META content="MSHTML 6.00.2900.2180" name=GENERATOR>
If you google for “Keith Colgan – SeniorClicker.com”, you’ll find a reference to http://www.castlecops.com/First_National_Bank_phish618909.html. This guy did the same for the First National Bank with the same technique and same files! But the domain seniorclicker.com is not registered anymore.
Update: A few minutes ago, I received the same e-mail but related to JP Morgan: http://mail.bytechindia.com:81/JPMorgan_Chase/online_survey/Online.html