Here’s how phishing methods are evolving based on our recent investigations.
This message claims to be from Blizzard Entertainment.
It attempts to phish the recipient by promising access to a game that’s currently under development.
The language and grammar usage is good but not perfect.
Somewhat oddly — the e-mail address that’s spoofed is email@example.com.
E-mail + Server Phishing
This message claims to be from Nordea Bank of Finland.
The language and grammar usage is terrible (it looks straight out of Google Translate).
The e-mail linked to an Apache server that hosted this login page:
(We sent an abuse report and the site was quickly shutdown.)
The fake netbank page asks for the customer’s User ID and Code (a one-time password from a printed list).
This is the next page:
It asks for all of the customer’s current set of Authorization Codes (one of several codes on a list that are randomly requested in order to complete a transaction).
All input is appended to a text file. In this example, the phisher has a limited window of opportunity to access the customer’s account. If the customer attempts to access their real netbank account, they’ll be prompted for the one-time password — making the phisher’s information useless.
E-mail + Server + MitM Service
Here’s a more advanced example that recently targeted two Finnish banks.
Screenshot by Henry Hagn?s
The Finnish used by this message is not quite right, but it’s generally better than most Finns actually use in e-mail.
In any case, the language and grammar usage is quite a bit better than the other phishing campaign.
The phishing server is more advanced as well. Once the customer enters their User ID and one-time password code, the server then attempts a real-time transaction (to take advantage of the limited window of opportunity).
This Man-in-the-Middle service asks the customer to wait for two minutes:
And then the customer is asked for a particular confirmation code to complete the transaction:
This e-mail + server + MitM service is more subtle and significantly more dangerous than our second example.
Our investigation discovered a similar domain registered for Spain’s TLD (.es). We suspect numerous European banks are (or will be) targeted by Man-in-the-Middle phishing.
Leave a reply