Phishing « M86 Security Labs Blog

Posts Tagged ‘Phishing’

New Google AdWords Phish In-the-wild

By Rodel Mendrez • October 4th, 2011 • Phishing

For those of you who have a Google AdWords account, be wary of a new Google AdWords spam campaign we have seen in-the-wild earlier this week. The spam email may use the following subject lines:

Google AdWords: You have a new alert.

Google Team: You have a new alert

Here is an example of the spam email posing as a notification email from Google AdWords.

If you notice in the sample email, the URL link that appears to be linking to your Adwords account looks dodgy. But if that obvious sign didn’t prevent you from clicking the link, you would have been redirected to a Google AdWords phishing webpage.

After entering a username and password, the webpage sends these credentials to the cyber-criminal’s webserver.

The HTTP POST request when the user enters their Google account credentials. It sends the username and password to the phisher's webpage.

Of course, once you enter your Google account credentials in the phishing page this will NOT just compromise your Google AdWords account but all your Google services like GMail or Google+ will be affected as well. When you receive these sorts of notification emails, always double check the URL before you click on them – if it looks suspicious, it probably is.

Tags: Google AdWords | Phishing | Spam

RapidShare.com – The Phishing Begins

By Yaniv Miron • February 20th, 2011 • Phishing

A few weeks ago, M86 Security Labs discovered how to create a phishing page on RapidShare.com. As most of you probably know, RapidShare is one of the largest file sharing websites, with thousands of users worldwide.

While trying to download a file from RapidShare.com we encountered an error message indicating that the servers were busy.

We decided to test the error message and found that there is an improper input validation vulnerability in the “downloaderror” field.

Below is the original error message from RapidShare:

RapidShare.com Error message – Too many users downloading…

In the following screen, we see a fake phishing message that offers users the opportunity to buy a premium account for RapidShare:

RapidShare.com Fake Error message

A closer look:

For further information, see this demo link:

http://rapidshare.com/#!downloaderror|3|623624|test.avi|723|Too%20many%20users%20downloading%20from%20this%20
server%20right%20now.%20Please%20call%201-800-555-fake-premium%20
or%20email%20your%20Credit%20Card%20to%20fake@premiumfake.com
%20to%20get%20a%20premium%20account%20for%20only%209.95$%20a%20month%20!!!

In addition, we can control all of the “downloaderror” fields. For example, the file folder (623624), the file name (test.avi), and of course the error message.

This type of improper input validation can help malicious attackers create phishing pages within RapidShare.com. A user that receives an email or a link to the malicious phishing page could unknowingly give away credit card information to the malicious attacker either by email or by a phone call.

We contacted RapidShare.com regarding this subject and received a response from the RapidShare Abuse team assuring us that they have fixed the issue.

Tags: Featured | Phishing | RapidShare | Social Engineering | Vulnerabilities

Which Bank would you like with that Phish?

By Gavin Neale • December 9th, 2010 • Cybercrime

Over the last couple of years we have seen a decline in traditional phishing schemes as cyber criminals have begun to use banking malware such as Zeus and SpyEye. These tools can steal credentials from a wide range of web sites and by using browser-in-the-middle techniques can beat two factor authentication used by many banking websites.

Lately we have seen a number of phishing emails where the phishers impersonate a third party that may have a plausible reason for interacting with your bank, such as a tax department. The Phishers then attract victims to a landing page via spam where they are asked to choose their bank from a selection. They are then shown a fake login page for that bank. This increases the chance of a Phisher matching a bank to a potential victim.

This email, targeted at British recipients, promises the recipient that they are eligible for a tax refund from HM Revenue and Customs. By clicking the Refund Me Now link they can be on their way to receiving their tax refund.

Following the link takes the recipient to the phishing landing page below with the logos of 15 banks; and asks the user to click on the logo of their bank to continue. Each logo is a link to a fake banking website that is similar to that bank’s real website.

The landing page where users are asked to select their bank

When we click on the HSBC bank logo we are taken to a page designed to phish credentials from HSBC members:

The phishing page the victim is sent to if they click the HSBC bank logo

We saw a nearly identical campaign two months ago that was phishing for bank accounts in New Zealand. This is just another technique cyber criminals are using to increase their returns as people become more aware of how phishing attacks work.

Tags: Banking Trojans | Phishing | Phishing Kit | Tax Refund | Tax Scam

McAfee, Secure Short URL Service… Or is it?

By Anonymous • December 6th, 2010 • Vulnerabilities

Recently, McAfee entered the already crowded URL Shortening business. The service is called mcaf.ee and is meant to provide a major ‘added value’ over its competitors; namely security.

Basically, every URL being shortened using the mcaf.ee service, is scanned and ensured to be safe for browsing. However, as when using any AntiVirus, it appears that not only safe URLs are shortened but malicious ones too. As a result this may hurt the security provided by other sites, which in turn might rely on the security provided by the mcaf.ee service.

For demonstration purposes, let’s have a look at a malicious URL, which was found in the wild, and was reported as safe by mcaf.ee.

Page source of a malicious "short" URL

Figure 1 shows a screenshot of the source code of a malicious URL (shown in the red frame). McAfee reported it as safe (as seen in the green frame).

Now, let’s see how the mcaf.ee service can be manipulated to overcome the security provided by Facebook, for example. We’ll choose a successfully blocked Facebook phishing URL:

Facebook phishing blocked successfully by Facebook

Facebook phishing site marked as safe by McAfee

When we used the shortened URL generated by mcaf.ee service: hxxp://mcaf.ee/139b4, the URL could be used on a Facebook wall or private message, without being blocked. Luckily, after a few minutes, we noticed that Facebook started blocking that URL as well.

Users should carefully check the links coming from emails, Facebook or any other social network, when the sender is unknown and the link is shortened, because there is no guarantee the URL is safe, almost in the case when it comes from “Secure URL Short Service”.

Post Authored By Daniel Chechik and Moshe Basanchig

Tags: Facebook | Phishing | Secure Short URL | URL Shortener

USAA Credential Phishing

By Gavin Neale • November 2nd, 2010 • Spam

Today we started seeing a new phishing campaign which is being sent by the Cutwail spambot, targeting customers of the United States Automobile Association (USAA). Cutwail is the spamming component installed by the Pushdo botnet. The phishing emails ask the recipient to fill out a ‘confirmation form’ which they can access by clicking on a link in the message.

Phishing spam targeting USAA customers

To hide the URL of the phishing web page, these emails contain a link to one of several different URL shortening services such as http://bit.ly which redirect the browser to the actual phishing page.

The link ‘Access USAA Confirmation Form’ in the spam email above points to http://bit . ly/agWGNG. When we tested this link, bit.ly had already determined that there may be a problem with the URL it was redirecting to and displayed a warning page rather than redirecting us to the phishing page.

bit.ly warning page

If we choose to ignore this warning and continue to the un-shortened URL, we end up at the page below, a phishing website aimed at stealing information from USAA members. This page, titled ‘Cardholder Form’, asks the user to provide information such as their online ID, password, name, card number, card security code and PIN. When the user clicks the submit button all of the details are sent to the criminals’ server and the users’ browser is redirected to the real USAA website.

The USAA phishing page

For now, this phishing site, which is hosted on the domain vsdfile (dot) ru is not serving up any malicious content. The USAA provides a banking and credit card service which may be the intended target of these criminals once they have tricked a customer into divulging their cardholder details.

We have not seen one of these large scale phishing campaigns from Cutwail for some time, as the cybercriminals switched to spamming out links to the data-stealing Zeus malware. With the recent high profile arrests of several Zeus perpetrators, and all the subsequent public attention on Zeus, maybe phishing, where you politely ask for data instead of stealing it, will come back in fashion?

Tags: Bit.ly | Phishing | URL Shortener | USAA | ZeuS

Persistent Tax Refund Scam

By Rodel Mendrez • October 21st, 2010 • Spam

A month ago, the New Zealand Department of Inland Revenue (IRD) issued a warning advising people not to respond to scam emails claiming to offer tax refunds. We have observed these types of scams before, but the individual campaigns come and go. Like any other phishing scam, this email campaign appears to look like a legitimate notification from Inland Revenue complete with the logo.

IRD Tax refund scam email

The link in the message body points to a phony web page that mimics the New Zealand IRD website. But the odd thing is the instruction in a red font stating “Please click on your following bank logo to continue the refund procedure”.

Phishing New Zealand from Nigeria

By Gavin Neale • August 3rd, 2010 • Spam

We’ve recently observed phishing emails targeting customers of the ASB bank, which is based in New Zealand. While these particular phishing emails are not very different from many of the other phishing emails we get every day, we did find some interesting things on the server hosting the phishing website and inside the email’s header, which hint that a group based in Nigeria could be behind these phishing attacks. Here is a sample message:

The link in the email goes to a phishing page that is hosted on a compromised web server in Hungary. It looks a lot like the legitimate banking login page for the asbbank.co.nz website.

Tags: ASB Bank | New Zealand | Phishing

Man-in-Middle Phishing Attack

By Anonymous • July 14th, 2006 • Cybercrime Phishing

A first ever case of using a “man in the middle” attack against an online bank was reported recently by Security Fix.

The attack targeted Citibank Citibusiness service and was designed to spoof the token key hardware device used by the bank’s customers. Citibusiness requires customers to use a token in addition to their user name and password. The small hardware device generates an additional password that changes every minute or so.

The phishing site checked the logon credentials with the real site before rendering the results to the phishing victim The “man in the middle” is the phishing site, which submits data provided by the user to the actual site. If that site generates an error, so does the phishing site, thus making it look more real. Enter an invalid password, and you get an invalid logon page.

The security industry has long predicted this type of man-in-the-middle attack; it seemed only a matter of time.

Tags: Citibank | Phishing