Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services
Cybercriminals frequently send phishing attacks disguised as emails that claim to be from an organisation, especially financial organisations, asking for personal details, especially passwords. Once gathered, this information enables the attackers to access the victim’s account, and very often help themselves to their money.
In 2009, Symantec Hosted Services blocked phishing attacks impersonating or relating to 1079 different organisations. Generally, a relatively small number of organisations are impersonated. In 2009, just eight impersonated organisations made up 50 percent of blocked phishing attacks and 83 impersonated organisations made up 95 percent of blocked phishing attacks. The impersonated organizations were largely banks.
While most banks are impersonated in phishing attacks at some time, any organisation that offers an online service that requires a login to access valuable data is at risk of being impersonated in a phishing attack. Apart from banks, MessageLabs Intelligence blocks phishing attacks impersonating well known auction sites, social networking sites, online gaming sites, share trading sites, email/server administration, shopping sites, tax/inland revenue sites and charity sites to name a few.
Normally, phishing attacks that impersonate banks, deliver messages along the lines of ‘Update your account’, ‘Your Password has been Deactivated’, ‘Your account will be Suspended’... all of these messages are intended to throw the recipient into a panic that there is something wrong that needs to be fixed. The victim clicks on the ‘Log In’ button or link in the email and they are taken to a fake login page where they are instructed to fill in their personal details and password.
Compared to spam, phishing is a rare occurrence. In March 2010 phishing attacks comprised approximately 1 in 500 or 0.2% of all email. But this small proportion translates into massive circulation volumes- an estimated 300-600 million phishing emails every day are sent to unfortunate recipients all over the globe.
Phishing attacks warn of... phishing attacks
I spotted a phishing attack this week that is different from the normal style of phishing attacks described above although it’s not the first time I’ve seen this approach. 
In this phishing attack, claiming to be from a large and well known bank, the subject reads: ‘Your Internet Banking logon information is valuable to fraudsters’. Indeed! It then goes on to say: ‘...and they're always looking for new ways to get hold of it’. Erm, yes!
The attackers then nonchalantly go on to say: Access to your online services has been limited due to miss-match of Some information on your online access details. Click the Log on button to secure your membership details’... an audacious attempt to phish the recipient’s details after first warning them about the dangers of phishing.
This variant has been blocked in large volumes by Symantec Hosted Services. It started on 30/03/2010 at about 1300 GMT. Since then we have blocked more than 40,000 emails targeted at thousands of our clients all over the world. In a recent seven-day period, MessageLabs Intelligence blocked 9,800 emails. In that same period we blocked 324,000 attacks impersonating the same well-known bank. So this example is just one phishing attack in a ‘blizzard’ of attacks relating to this particular bank. In total for that seven-day period we blocked 1.4 million phishing attacks.
So what happens if the recipient follows the ‘Log On’ link? What follows is very typical for a phishing attack.
‘IBLogin.html’
The victim is taken to a complete mock-up of the real bank’s internet banking site. This page was located at http://lemont.com.ua/<bankname>bank/IBlogin.html (I replaced the bank’s name with <bankname>). This has nothing to do with this particular bank’s official website. lemont.com.ua is a legitimate domain. The attackers have hacked the site to add a subdirectory '<bankname>bank', and in that directory they have placed several files.
IBLogin is the fake login page shown above. On entering their banking user ID, the victim is taken to a second fake page:
‘verify-v1.php’
Here they are asked to enter their date of birth and security number. On clicking ‘Continue’, the victim is taken briefly to a page ‘verify-v2.php’, before being redirected away from lemont.com.ua, to the bank’s official site. At the stage the attacker has harvested the victims login details, and the victim may believe that for some reason, the log in didn’t work, and attempt to login again using the official site. This will of course work, and the victim goes away perhaps satisfied that they have ‘secured their membership details’. A very short time later the attacker will help themselves to the victim’s account, possibly even increasing the victim’s overdraft facility before transferring funds.
How did the attackers hack lemont.com.ua? Many legitimate sites are hacked every day, and fake phish login pages placed upon them. In this case lemont.com.ua was the victim of a hacking attack from an individual or gang calling themselves ‘GHoST61’. GHoST61 have been doing this to legitimate sites for several years. It’s believed that they routinely trawl the internet and probe websites looking for those with weak (FTP) passwords, or weak file permissions. They then access the site, upload new files, create new directories, and often replace the front page of the site with the image below. In the short period between the site being hacked and the owners realising and making amends, the site can be used for other nefarious operations, not only phishing/fake logins, but also hosting malware or redirecting to malware. GHoST61 may do this, or (more likely) they may simply sell the access to some other attacker online.
Birbirine sürtecek 2 Liram yok cebimde hayatla inatlastim hayalimin pesinde.”
Is Turkish and translates as:
“I do not have to scrape together 2 Lira inatlas with the life I have in my pocket after my dream.”
Search for ‘Hacked By GhoST61’ and you’ll find lots of cases where unfortunate legitimate site owners have been hacked by GHoST61. One example is a little blog here: http://www.kisaso.com/technology/hacked-by-ghost61-my-blog-got-hacked/
419 scams warn of... 419 scams
And it’s not just phishing attacks where we see warnings about frauds and scams. Recently I saw a nice example of a 419-style scam, which actually informs the recipient, that they have been the victim of a 419 scam!
The scam was sent from yahoo.com, but claims to be from the FBI. The email reads ‘The Federal Bureau of Investigation (FBI), Has discovered through our intelligence Monitoring Network, that you have an on going transaction with individual talking about transfer of huge amount that dose not have an end and opening box full of fake Dollars’. This sentence displays the usual level of poor spelling and grammar that we are so used to reading from 419 scammers. They go on to explain that the UK government has invested large sums of money to make sure that ‘scammers are brought before the law’. They then request that the recipient provides details of all communications with the scammers, in order to recover lost funds. Note the reply email address ‘fib.sacurity’.
Don’t you mean fbi.security? How the recipient is supposed to know what communications the email is referring to, I have no idea, but I would imagine on replying to the mail, the scammers would start a dialogue with the victim, which would eventually lead to them losing their personal details, and very possibly large sums of money. It’s likely the scammers would ask for some kind of ‘administration fee’ in order to continue investigations.
Scammers use a great variety of techniques or ‘hooks’ to lure unsuspecting recipients into responding in some way e.g. clicking a link, replying, etc. A common technique is to try to excite or scare the recipient into performing an action, but actually, using language along the lines of warning the recipient that the email ‘may be a scam’, is quite a clever approach. The recipient, if they are not on their guard, may be put at ease by this, and be more likely to fall for the scam. Fortunately, Symantec Hosted Services excel at blocking phishing attacks and scams like the ones shown above, so our clients do not have to make that (sometimes tricky) judgement call.