PhishTank is operated by OpenDNS, a free service that makes your Internet safer, faster, and smarter. Get started today!

53.com is a real bank

posted by John Roberts on October 31st, 2006 in PhishTank, Voting, Verifying phishes

Submission 19715 continues to await final judgment from the community. The phish URL is:

http://www.53.com/wps/portal/contenttype/secure/confirm_context.id

The screenshot shows Fifth Third Bank.

The technical details give the strongest evidence. Admittedly, the technical details tab did not exist when this was submitted on October 17, 2006.

Registrant:
Fifth Third Bank
38 Fountain Square Plaza
Cincinnati, OH 45263-0001
US

There are 250+ votes so far, with 60% saying “Is NOT a phish.”

Hint: This bank exists, and this site is real. If you have not voted, please vote Is NOT a phish.

The lesson is that number-only domain names do not inspire trust, but don’t dismiss them out of hand.

 
Follow responses to this post through the RSS 2.0 feed.
Leave a response below, or send a trackback from your own site.

18 Responses

  1. Blain

    Odd question, but, if you know that it’s not phish, how about you just flag it as “not phish” and we all get on with our lives?

    — posted by Blain on November 1st, 2006 at 5:17 am

  2. someone1234

    Yeah, i remember when i first saw it, i thought it is a fake bank. I thought its logo resembles some other bank and they altered it to 53. Like you see 3 dollars or such.
    But then there were sites that faked the original, so it became clear, it is a real site.

    — posted by someone1234 on November 1st, 2006 at 7:09 am

  3. Dan Moran

    53.com is undoubtedly the domain of Fifth Third Bank, centered in Cincinnati, OH.

    — posted by Dan Moran on November 1st, 2006 at 12:42 pm

  4. Moike

    I’d like to give a not-so-gentle reminder (a whap upside the head) to the marketers at Bank of America. I was one of the MBNA customers transferred to BofA. I received an E-mail with the all too familiar phishing line “Important changes to your online service”. It had my real name and end of account number. It had the all too familiar link “Go to www.bankofamerica.com” , but the actual URL was cardsatisfaction.com - probably a redirect for marketing purposes. Why can’t they just create a subdomain credit.bankofamerica.com and point the IP to the marketing partner?

    I harp on my girlfriend not to click on anything in E-mails, but it turned out that she had clicked on this one. She was scared straight when I pointed this out and how a criminal could have sent the same message by getting her CC number from an internet database. Eventually the new BofA login took her to admin several accounts she hadn’t thought about in a while. This login could have been stolen by a man-in-the-middle if cardsatisfaction.com had been a bogus site.

    — posted by Moike on November 1st, 2006 at 2:21 pm

  5. John Roberts

    Blain (and others):

    If a submission gets identified as a false positive (judged a phish when it’s not), then we’ll step in. False positives are much more damaging than false negatives because of how far and wide the judgment spreads via the API and data file.

    For ones that are undecided, I’d rather call attention to them as learning experiences for the entire community.

    For now, “we” = PhishTank admins, who are all OpenDNS employees. We’re getting more help from the community now… stay tuned for a post about that assistance.

    Moike, you’re right, and there are other examples, like shopnowcard.com which is a chase.com site (and is registered to them).

    — posted by John Roberts on November 1st, 2006 at 6:58 pm

  6. Kevin

    Moike, I got that same email from Bank of America. I submitted it to their abuse address and got a reply back that the email was fraudulent. Of course, it wasn’t.

    — posted by Kevin on November 2nd, 2006 at 2:13 pm

  7. Kevin

    Is there any way I can change my vote from “I don’t know” to “Not a Phish”?

    — posted by Kevin on November 2nd, 2006 at 10:02 pm

  8. Ilgaz

    We can’t rely on Whois data since there are many non serious domain registrars out there. A SSL certificate check could be better but based on comments on Slashdot, there are like $30 cost certificates out there.

    53 could be a nice idea in the past for practical domain entry by customers but in phishing age, it really looks like a fake site. Normally banks tell customers to STAY AWAY from IP number http hosts, it is confused with IP number by Internet novices.

    — posted by Ilgaz on November 3rd, 2006 at 1:53 pm

  9. Ilgaz

    It could be Phishers reading the blog too :) , while 53.com is a legit site, this entry is completely phish. Don’t get confused!
    http://www.phishtank.com/phish_detail.php?phish_id=23329

    — posted by Ilgaz on November 3rd, 2006 at 2:01 pm

  10. CampingAdFairhaven

    I accidently voted “http://www.53.com/bla..” a phish this afternoon.
    Now i’m wondering how many false positive votes i can effort,
    before i’m getting frozen,kicked,banned or elseway punished by
    admin?

    — posted by CampingAdFairhaven on November 10th, 2006 at 8:07 pm

  11. John Roberts

    CampingAdFairhaven, it’s both an absolute number and a percentage of your total votes.

    One bad vote doesn’t ruin your reputation forever, assuming all else is normal.

    — posted by John Roberts on November 10th, 2006 at 11:32 pm

  12. Sangamon Taylor

    While www.53.com is real, the link underneath the screenshot that the phishers are sending around is as follows:

    http://www.53.com.bankingportal.session.ldlestb.md/sbcbconfirm

    Site appears down, though…I wonder how many people they got with it while it lasted…

    S.T.

    — posted by Sangamon Taylor on November 22nd, 2006 at 1:52 am

  13. Michael H

    I’m actually a Fifth Third customer and use their website. It’s only been within the past month or two that I’ve seen phishing emails for Fifth Third. As far as I know they are only a regional (Midwest US) bank. I didn’t think they had the high profile to warrant a phishing attempt. Now I know different.

    — posted by Michael H on December 3rd, 2006 at 2:31 am

  14. James S

    Although Fifth Third is a legitimate bank many of the people are verifying that the requests from them are not phish. We have an account with that bank and they assured me that they would never send out unsolicited emails looking for information. They will sen snail mail and maybe call but never email. They only respond to email request sent to them and that is very limited. Therefore any email from them requesting information is phish.

    — posted by James S on December 15th, 2006 at 6:00 pm

  15. jane ellen

    I just recieved the following (and I am not a commercial/bussiness customer of 53.com :

    I cannot copy the visible text, asking me to click on a link to confirm and start the confirmation for my account.
    my account.

    It also states Fifty Third Protection Department appologizes for the inconviences caused to you, and is
    very grateful for your cooperation.

    the link is:

    www.53.com/bankingportal/session/conf

    From: Fifth Third Bank
    To: Janetu *****not my name or email alias
    Sent: Wednesday, February 21, 2007 7:44 PM
    Subject: confirm your account details!

    (Ad like message re: confirming my account, aplogizing, asking me to click on link, etc.)

    When trying to copy ad, it wouldn’t copy, but suddenly, the following appeared as I pasted):

    “She got him into bed and he was asleep in three minutes. demit civil Or would have, before.

    The certainty was that Annie’s decision to testify in her own behalf at the preliminary hearing had been extremely unwise. “Now her face had begun to shimmer on the far side of the flames. But oh, Mr Rancho Grande! “We’ll manage, Ducky Daddles and I. Let me handle this! As soon as she was gone, he slid the flat can out of his underwear and under the mattress. “The capsules — pain — please, Annie, please, for God’s sake please help me the pain is so bad — “I know it is, but you must listen to me,»she said, looking at him with that stern yet maternal expression

    — posted by jane ellen on February 23rd, 2007 at 1:51 am

  16. roy

    The email I received has the link of http://www.53.com/bankingportal/session/conf but when you click on it the actual link takes you to http://www.53.com.bankingportal.id5178664.hukowet.biz/conf and is a scam. It does not even look like 53.com’s site so I don’t know what the phish was trying to accomplish but I do NOT bank w/53 and am not a customer. My letter was SPAM!

    — posted by roy on February 28th, 2007 at 4:13 pm

  17. Bob

    The email I received has the link of http://www.53.com/wps1315p/confirm/cbupdate but when you click on it the actual link takes you to http://www.53.com.wps15440b.ksjhtrf.biz/confirm/cbupdate/and is a scam. It does not even look like 53.com’s site so I don’t know what the phish was trying to accomplish but I do NOT bank w/53 and am not a customer. My letter was SPAM!

    — posted by Bob on April 20th, 2007 at 6:07 pm

  18. T. Anderson

    This is the email I received and I’m DEFINITELY NOT a customer nor have I EVER been a customer. This is definitely SPAM, PHISHING or both!

    Dear Fifth Third bank business/commercial customer,

    Fifth Third Protection Department requests you to start the client details confirmation procedure. By clicking on the link at the bottom of this letter you will get all necessary instructions how to start and to complete the confirmation procedure. The following steps are to be taken by all business and commercial customers of the Fifth Third bank.

    Fifth Third Protection Department apologizes for the inconveniences caused to you, and is very grateful for your cooperation.

    To start the confirmation procedure, click the following link:

    http://businessbanking.53.com/session0373839078/clientbase/form.asp

    Copyright © 2007 Fifth Third Bank, Member FDIC, Equal Housing Lender, All Rights Reserved

    — posted by T. Anderson on May 4th, 2007 at 1:20 am

Leave a Reply

Server: pt2