Phishing, All-In-One

A typical phishing email message tries to represent (falsely) a single institution. For example, a spammer sends a phishing message, forging the email to appear as if it’s from a financial institution. The recipient is then asked to enter personal information for some fictional reason (for example, “verify your identity”). In an effort to obtain as much information as possible about the unsuspecting user, the spammer usually asks for more information than what is asked at a legitimate website. While a legitimate site may only ask for username and password, a phishing site usually seeks additional information such as a credit card or pin number, mother’s maiden name, and/or a social security number. Once the user hits the “submit” button, the private information is sent into the hands of criminals.

Symantec has recently observed a spam message that is pretending to be from HM Revenue & Customs in the United Kingdom. The message is very similar to a tax refund phishing message that involved the Internal Revenue Service earlier this year. The difference, however, is that the message contained different links to target multiple financial institutions rather than being limited to one. As part of the false portal, users are able to click the logos of their bank which then takes them to a phishing site.

With this attack, the spammers chose to replicate the legitimate page as best as possible, even if that meant gathering information that may be insufficient for a complete identify theft. For example, one link takes the user to a page where it immediately prompts the user for personal information:

However, another link takes the user to the page where the user can only enter their Internet banking user ID:

 Upon entering the prompted information, the link asks for two more pieces of information:

 Hitting the “continue” button simply redirects the user to the legitimate homepage of the targeted bank. Symantec has confirmed that both of these websites were designed to mimic the login process at the respective (and legitimate) banking websites. In the latter example, users are asked for a user ID, date of birth, and security number. These can provide a partial identity to the scammer, leading us to believe that the spammer may try to log in to the user accounts using the acquired credentials, or he or she may be harvesting the login credentials for some other future use.

* Note: Many thanks to my colleague, Danyang Wang, who was a key contributor to this blog.