I received an email today supposedly from Fifth Third Bank addressed to an account I use for notification of issues on the web site. The email was about "my account" with this bank, and since I know I don't do business with this bank and that I would never use this address to set up an online banking account or as a primary notification account, I knew something was "Phishy".

The text of the email is contained in an image file, a gif file. Here is the textual content of that images. (I modified the links so they would not work from here).

Dear Fifth Third bank business or commercial customer,

Customer Service Department of the Fifth Third bank is in a position to let you know that it is necessary to pass the procedure of acknowledgement of your client data. In order to pick up all the necessary instructions and to start the procedure, you should click the the link at the end of the letter. This procedure is obligatory for performance for all business and commercial clients of the Fifth Third bank.
This instruction has been sent to all the business and commercial clients of Fifth Third bank and is obligatory to be followed up.
To start the procedure of acknowledgement of your personal client data please use this link:

www .53.com/businessandcorporate/isapidll/cutomerdata

We appreciate your cooperation with us and apologize for the inconvenience brought.

This message is then repeated again at the very bottom of the email.

Here is a picture of the actual message.

[More:]

The first section of text, the first image is a link to another web address, so if you click any where on the "text" you will be taken to:

www .53.com.businessandcorporate.dsodsfdfer.biz/customerdata

Looking up the name records for this site, shows that it is hosted on 203.123.210.27.

KRNIC is not an ISP but a National Internet Registry similar to APNIC.
The followings is organization information that is using the IPv4 address.

IPv4 Address : 203.123.210.0-203.123.210.255
Network Name : SAEROMNET
Connect ISP Name : SAEROMNET
Connect Date : 20050401
Registration Date : 20050926
Publishes : Y

[ Organization Information ]
Organization ID : ORG102008
Org Name : TBROAD Saerom Broadcasting
Address : Seongnam-dong, Seo-gu
Detail address : 518-16
Zip Code : 404-220

[ Technical Contact Information ]
Name : HongKyu Seo
Org Name : TBROAD Saerom Broadcasting
Address : Seongnam-dong, Seo-gu
Detail address : 518-16
Zip Code : 404-220
Phone : +82-32-580-7092
E-Mail : dreamnetsgo6@empal.com

Checking the root of this site, it displays a default welcome page.

Welcome to the home of r11.com

For some interesting information, search the web for r11.com.

If you go to the actual link location, the site appears to be a copy of an actual Fifth Third web page. All the links on the page appear to point to real Fifth Third web pages. The only real tip off is that the URI in the address bar is incorrect.

Digging through the email headers, everything appears legit on the surface. Here are a portion of the headers (I did change the my address and my smtp host for this post):

Return-path: <support-ref27411@53.com>
Envelope-to: [email address]@davemoats.com
Delivery-date: Fri, 01 Dec 2006 03:08:23 -0700
Received: from [59.5.50.53] (helo=[59.5.50.53])
by [email server] with esmtp (Exim 4.52)
id 1Gq5Je-0000Cx-2F
for [email address]@davemoats.com; Fri, 01 Dec 2006 03:08:23 -0700
Received: from kim (kim [59.5.50.53])
by kim (8.12.8p1/8.12.8) with ESMTP id iF10052750A4E4
for <[email address]@davemoats.com>; Sat, 2 Dec 2006 04:08:03 +0900
(envelope-from support-ref27411@53.com)
Date: Sat, 2 Dec 2006 04:08:03 +0900
From: Fifth Third Bank'06 <support-ref27411@53.com>
Reply-To: "<support-ref27411@53.com>" <support-ref27411@53.com>

Since everything looked OK, so I checked on the source IP Address 59.5.50.53.

KRNIC is not an ISP but a National Internet Registry similar to APNIC.
The followings is organization information that is using the IPv4 address.

IPv4 Address : 59.5.50.0-59.5.50.255
Network Name : KORNET-INFRA000001
Connect ISP Name : KORNET
Registration Date : 20060816
Publishes : N

[ Organization Information ]
Organization ID : ORG1600
Org Name : Korea Telecom
Address : Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711

[ Technical Contact Information ]
Org Name : Korea Telecom
Address : Jungja-dong, Bundang-gu, Sungnam-ci
Zip Code : 463-711
E-Mail : ip@krnic.kornet.net

So the source IP Address of this "Fifth Third bank" message originated from Korea and the web page is hosted on an IP range owned by a Korean company as well. The companies that own these IP Ranges are most likely not involved, since they appear to be hosting companies.

In any case if you see an email like this DELETE IT.