NEWS FROM THE LAB - Friday, September 30, 2011

Trends: From Phishing to "Man-in-the-Middle" Phishing Posted by Sean @ 15:15 GMT

Here's how phishing methods are evolving based on our recent investigations.

E-mail Phishing

This message claims to be from Blizzard Entertainment.

Blizzard phishing

It attempts to phish the recipient by promising access to a game that's currently under development.

The language and grammar usage is good but not perfect.

Somewhat oddly — the e-mail address that's spoofed is noreply@blizzard.com.


E-mail + Server Phishing

This message claims to be from Nordea Bank of Finland.

Nordea phishing

The language and grammar usage is terrible (it looks straight out of Google Translate).

The e-mail linked to an Apache server that hosted this login page:

Nordea phishing
(We sent an abuse report and the site was quickly shutdown.)

The fake netbank page asks for the customer's User ID and Code (a one-time password from a printed list).

This is the next page:

Nordea phishing

It asks for all of the customer's current set of Authorization Codes (one of several codes on a list that are randomly requested in order to complete a transaction).

All input is appended to a text file. In this example, the phisher has a limited window of opportunity to access the customer's account. If the customer attempts to access their real netbank account, they'll be prompted for the one-time password — making the phisher's information useless.


E-mail + Server + MitM Service

Here's a more advanced example that recently targeted two Finnish banks.

Osuuspankki phishing
Screenshot by Henry Hagn�s

The Finnish used by this message is not quite right, but it's generally better than most Finns actually use in e-mail.

In any case, the language and grammar usage is quite a bit better than the other phishing campaign.

The phishing server is more advanced as well. Once the customer enters their User ID and one-time password code, the server then attempts a real-time transaction (to take advantage of the limited window of opportunity).

This Man-in-the-Middle service asks the customer to wait for two minutes:

Ossuspankki, man-in-the-middle

And then the customer is asked for a particular confirmation code to complete the transaction:

Ossuspankki, man-in-the-middle

This e-mail + server + MitM service is more subtle and significantly more dangerous than our second example.

Our investigation discovered a similar domain registered for Spain's TLD (.es). We suspect numerous European banks are (or will be) targeted by Man-in-the-Middle phishing.