The Latest in IT Security

Bank phishing malware bypasses DNS to trick the web browser

30
May
2012

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

Bank phishing is a world-wide problem, but nowhere is it more widespread or sophisticated than in Latin America. Consumers throughout the Southern Hemisphere are constantly bombarded by web links and spam attachments which present convincing displays that aim to steal usernames, passwords and other authentication tokens.

Barracuda Labs recently caught a particularly serious example of this sort of attack. Known as Win32.Ngrbot.llr, this malware intercepts the internet traffic for certain banks and sends that traffic to a completely different webserver run by phishers. How it hides, and what it does, is especially interesting.

The attack starts out with spam. In this case, spam from the popular Movistar messaging service telling you that you have received a multimedia message (MMS) through their website. The “View Multimedia Message” button (Ver Mensaje Multimedia) in the message actually links to a malicious domain.

Phishing email

(click for full size image)

Clicking that button downloads a copy of Win32.Ngrbot.llr from a file hosting service. Windows does ask you if you are certain that you want to run the file.

Windows run verification dialog

(click for full size image)

Running the file appears to have no effect. No multimedia message displays and no decoy website is visited by the web browser. You are left to suppose that the message is broken somehow. That is not the case. It is busy in the background.

The first thing the malware does is to retrieve a text file from a possibly hacked domain.

Phishing config file

(click for full size image)

This file looks exactly like a HOSTS file and the purpose of the contents is easy to see. Every domain on the left-hand side of the list is followed by an IP address on the right-hand side of the list. This configuration file instructs the malware to take all traffic from the listed banks and redirect it to the IPs found to the right of each domain.

That’s exactly what happened in our tests. This graphic shows the correct IP address of bancofalabella.cl, 200.10.167.121.

Banco Falabella IP

But when the malware is running and a web browser tries to visit bancofalabella.cl the browser retrieves the web page from 74.117.58.3, the same IP we saw listed in the malware configuration file.

malware packet capture

(click for full size image)

A web server at 74.117.58.3 serves a copy of the Banco Falabella website and appears very convincing. Seen side-by-side there is nothing to reveal the malicious website as an imposter.

legitimate banco falabella website

Legitimate – (click for full size image)

malicious banco falabella imposter

Imposter – (click for full size image)

What is more serious is that because the web browser has been tricked, the URL displayed in the web browser bar appears legitimate even when the malicious website is displayed.

URL comparison

Even though the main page for bancofalabella.cl has entry blanks for supplying login information, that page is not displayed using HTTPS. Because of this a user is unable to determine that their credentials will be transmitted to the bank using HTTPS. Most large banks display all of their pages using HTTPS, and failure to do so makes the bancofalabella.cl website easier to spoof.

Indeed, our subsequent tests showed that the fake website was unable to display HTTPS pages. The legitimate BancoFalabella website did reject a fabricated login and password.

Rejected login

(click for full size image)

The spoofed website accepts anything offered as a login and password because it has no way to check them for validity. Instead, it saves them to use for bank fraud and identity theft. We know something is wrong with this website because after accepting false credentials a broken webpage is displayed. Unfortunately, by the time someone using an infected computer sees this broken page it is too late – their credentials have been captured by the malicious server.

Broken page on spoofed website

(click for full size image)

In prior tests, this webpage also asked for a Digipass token. Digipass is a secondary authentication device often used by Latin American banks. Surrendering this token would give phishers everything they need to empty a bank account.

Malware such as this reinforces the need to be careful when using the internet. Never click on links in emails. Never, EVER, run programs that unexpectedly ask for permission to run. Buy a reputable desktop antivirus program which offers behavioral detection technology, and keep it up to date.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service block the traffic from this threat.

Leave a reply


Categories

SUNDAY, SEPTEMBER 26, 2021
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments