Over the last 2 months or so I have seen more and more of the "financial institution" phishing emails arriving with several things in common.

1) The visible portion of the email is not HTML but one large .gif image. The image itself is sent using 64bit encoding. Viewing the entire source of the email reveals that the image is mapped and is essentially a giant clickable link leading to the bogus website. The image portrays a legitimate URL for the financial institution in question and a right click and copy of the link location also yields the legitimate URL. Clicking anywhere on the image, however, takes one to a bogus site.

2) The bogus URL's all follow the same general pattern of http://xxx.xxx.xxx.xxx:87/(code)/(page)
where:
xxx.xxx.xxx.xxx is an IP address
87 is the port number being used (all so far are using 87)
(code) is a one or two letter code denoting the financial institution, and
(page) is the target page with seems to vary between index.htm and login.htm

It strikes me that this makes for a very streamlined and flexible package.

_________________
MS MVP Security 2006-2008

It makes me think that these are all originating from the same sleazebag.

just like i can go download phpbb and phpnuke packages for my website, there may be packages with easy-to-follow intructions on how to set up a site like this.i bet you could find them if you had kazaa or something on your computer. scary.