NEWS FROM THE LAB - Friday, September 30, 2011

Trends: From Phishing to "Man-in-the-Middle" Phishing Posted by Sean @ 15:15 GMT

Here's how phishing methods are evolving based on our recent investigations.

E-mail Phishing

This message claims to be from Blizzard Entertainment.

Blizzard phishing

It attempts to phish the recipient by promising access to a game that's currently under development.

The language and grammar usage is good but not perfect.

Somewhat oddly — the e-mail address that's spoofed is noreply@blizzard.com.


E-mail + Server Phishing

This message claims to be from Nordea Bank of Finland.

Nordea phishing

The language and grammar usage is terrible (it looks straight out of Google Translate).

The e-mail linked to an Apache server that hosted this login page:

Nordea phishing
(We sent an abuse report and the site was quickly shutdown.)

The fake netbank page asks for the customer's User ID and Code (a one-time password from a printed list).

This is the next page:

Nordea phishing

It asks for all of the customer's current set of Authorization Codes (one of several codes on a list that are randomly requested in order to complete a transaction).

All input is appended to a text file. In this example, the phisher has a limited window of opportunity to access the customer's account. If the customer attempts to access their real netbank account, they'll be prompted for the one-time password — making the phisher's information useless.


E-mail + Server + MitM Service

Here's a more advanced example that recently targeted two Finnish banks.

Osuuspankki phishing
Screenshot by Henry Hagnäs

The Finnish used by this message is not quite right, but it's generally better than most Finns actually use in e-mail.

In any case, the language and grammar usage is quite a bit better than the other phishing campaign.

The phishing server is more advanced as well. Once the customer enters their User ID and one-time password code, the server then attempts a real-time transaction (to take advantage of the limited window of opportunity).

This Man-in-the-Middle service asks the customer to wait for two minutes:

Ossuspankki, man-in-the-middle

And then the customer is asked for a particular confirmation code to complete the transaction:

Ossuspankki, man-in-the-middle

This e-mail + server + MitM service is more subtle and significantly more dangerous than our second example.

Our investigation discovered a similar domain registered for Spain's TLD (.es). We suspect numerous European banks are (or will be) targeted by Man-in-the-Middle phishing.