NEWS FROM THE LAB - Monday, September 12, 2011

Man-in-the-Middle Attacks on Multiple Finnish Banks Posted by Sean @ 13:32 GMT

Multiple man-in-the-middle attacks are currently underway against at least two Finnish banks: Nordea and Osuuspankki.

Both banks use one time passwords and verification codes, so run of the mill phishing yields little of value to an attacker other than the account number. But in this case, the attacks are connected to a server-side man-in-the-middle attack that attempts to complete a banking transaction.

Here's an example of the fake Nordea site:

Nordea, man-in-the-middle

If the netbank customer enters their account ID and one-time passcode, they are asked to wait 2 minutes:

Nordea, man-in-the-middle

This gives the attack server time to configure a transfer and the customer is then asked for one of several confirmation codes:

Nordea, man-in-the-middle

And then, the customer is thanked for their time:

Nordea, man-in-the-middle

The process is initiated by an e-mail such as this:

T�m� on vuosittainen ilmoitus koskien Osuuspankki tili�si. Sinun tilisi pit�� vahvistaa. Ole hyv� ja klikkaa alapuolella olevaa linkki� ja seuraa ohjeita: Yst�v�llisesti, Osuuspankki
Screenshot by Henry Hagn�s

The e-mail targets Osuuspankki customers and is asking them to confirm their accounts as part of an annual review.

The phishing part of the attack is the same of the Nordea example, first the ID and passcode:

Ossuspankki, man-in-the-middle

Then the request to wait two minutes:

Ossuspankki, man-in-the-middle

And then the request for the confirmation code:

Ossuspankki, man-in-the-middle

Nordea has posted a warning for its customers to be on the lookout for e-mails in poorly written Finnish.

Unfortunately, the e-mail bait is rather short (and not everyone reads carefully enough), and once the customer clicks on the link, all the Finnish has been copied from the bank's own site. Better advice would be to never click on links from e-mails, but to go to the bank via a browser bookmark.

Our Browsing Protection toolbar blocks all currently known URLs being used, but the registered owner has at least 90 other domains so new variants could come online at any time.

F-Secure Browsing Protection

Hopefully the man-in-the-middle server, hosted in France, will be shutdown soon.