Multiple man-in-the-middle attacks are currently underway against at least two Finnish banks: Nordea and Osuuspankki.
Both banks use one time passwords and verification codes, so run of the mill phishing yields little of value to an attacker other than the account number. But in this case, the attacks are connected to a server-side man-in-the-middle attack that attempts to complete a banking transaction.
Here’s an example of the fake Nordea site:
If the netbank customer enters their account ID and one-time passcode, they are asked to wait 2 minutes:
This gives the attack server time to configure a transfer and the customer is then asked for one of several confirmation codes:
And then, the customer is thanked for their time:
The process is initiated by an e-mail such as this:
Screenshot by Henry Hagn?s
The e-mail targets Osuuspankki customers and is asking them to confirm their accounts as part of an annual review.
The phishing part of the attack is the same of the Nordea example, first the ID and passcode:
Then the request to wait two minutes:
And then the request for the confirmation code:
Nordea has posted a warning for its customers to be on the lookout for e-mails in poorly written Finnish.
Unfortunately, the e-mail bait is rather short (and not everyone reads carefully enough), and once the customer clicks on the link, all the Finnish has been copied from the bank’s own site. Better advice would be to never click on links from e-mails, but to go to the bank via a browser bookmark.
Our Browsing Protection toolbar blocks all currently known URLs being used, but the registered owner has at least 90 other domains so new variants could come online at any time.
Hopefully the man-in-the-middle server, hosted in France, will be shutdown soon.
Leave a reply