It attempts to phish the recipient by promising access to a game that's currently under development.
The language and grammar usage is good but not perfect.
Somewhat oddly — the e-mail address that's spoofed is email@example.com.
E-mail + Server Phishing
This message claims to be from Nordea Bank of Finland.
The language and grammar usage is terrible (it looks straight out of Google Translate).
The e-mail linked to an Apache server that hosted this login page:
(We sent an abuse report and the site was quickly shutdown.)
The fake netbank page asks for the customer's User ID and Code (a one-time password from a printed list).
This is the next page:
It asks for all of the customer's current set of Authorization Codes (one of several codes on a list that are randomly requested in order to complete a transaction).
All input is appended to a text file. In this example, the phisher has a limited window of opportunity to access the customer's account. If the customer attempts to access their real netbank account, they'll be prompted for the one-time password — making the phisher's information useless.
The Finnish used by this message is not quite right, but it's generally better than most Finns actually use in e-mail.
In any case, the language and grammar usage is quite a bit better than the other phishing campaign.
The phishing server is more advanced as well. Once the customer enters their User ID and one-time password code, the server then attempts a real-time transaction (to take advantage of the limited window of opportunity).
This Man-in-the-Middle service asks the customer to wait for two minutes:
And then the customer is asked for a particular confirmation code to complete the transaction:
This e-mail + server + MitM service is more subtle and significantly more dangerous than our second example.
Our investigation discovered a similar domain registered for Spain's TLD (.es). We suspect numerous European banks are (or will be) targeted by Man-in-the-Middle phishing.