Posted on behalf of Dan Bleaken, Malware Data Analyst
Financial organizations undergo frequent changes from the point of view of their customers, whether it’s a change to security processes, takeovers, re-branding, new products and so on. Phish emails often contain generic messages like ‘Account Suspended’ or ‘Update your account details’, but when a change such as this takes place, the perpetrators of the attacks are quick to react and try to convince unfortunate victims to part with their login details. Attackers know that if they refer to things in the message that customers are familiar with, perhaps from real communications with the imitated organisation, then the target is slightly more likely to fall into the trap, and part with their precious personal details. For example, last year, with the credit crisis in full swing, and banks closing, re-branding, being taken over, MessageLabs Intelligence intercepted many phishing attacks that referred specifically to those events.
During the last few days MessageLabs Intelligence intercepted an interesting phishing attack, aimed to take advantage of one bank’s customers by referring to an extra level of security added by the bank. The attack started at about 11:25 GMT on Friday 04/11/2009. Recently (approx 25NOV2009), the target bank introduced a One Time Passcode (OTP), which is used when a customer adds a new standing order, or tries to transfer money to another account. When the request is put in, the customer receives a code in the SMS message, which they enter on the website to complete the set-up. A welcome added level of security and confidence for customers, but it’s fascinating how quickly the perpetrators of phishing attacks try to cash in on any uncertainty as the changes are made. In this case, a little over one week elapsed between the bank introducing the measure, and it being referred to in phish mails.
The phish mails look like this:
On opening the email, the images are pulled direct from the bank’s official site. On clicking ‘Confirm’ (note the link above – it’s www.[removed].net.au, not the bank’s legitimate domain), the user is taken to a fake login page, which looks identical to the official banking login page:
Via this fake login page the attackers are harvesting the victim’s valuable login information.
Most financial organizations go to great lengths to educate their customers on the dangers of phishing attacks. Quite rightly, the bank informs customers on their website:
“[Removed] will never send you an email asking to confirm security questions or update your information. [Removed] will NEVER send you an email asking you to enter your Online Banking details. Whenever you log on or enter you security details, it should always be after you have visited the logon page through [Removed].com. When you want to access [Removed] ebanking – always type www. [Removed].com into the address bar of your browser. Never click on links or pictures in emails, and avoid setting [Removed].com as a favourite in your browser.”
This is just one example of a huge variety of phishing attacks that MessageLabs intercept every day, imitating 100s of financial, government, and other high profile organisations. These attacks were stopped instantly by powerful forward-looking Heuristics, rather than reactive signatures.
More information about phishing techniques in this recent Messagelabs Intelligence whitepaper http://www.messagelabs.co.uk/registered/download.get?filename=Whitepaper_Phishing_EMEA_UK_Oct2009.pdf