infectionvectors.com

Phish Sticks: Email Crime Revisited Download PDF

infectionvectors.com

March 2006

Overview

As a complement to the Phishing Trip reports from 2005, infectionvectors.com periodically reviews phishing efforts and trends. The well of scam victims has apparently not yet run dry for the criminally minded coders of the world. The scam outlined below shows the reach and ease with which con artists work on the Internet. The particular sample serving as a backdrop for this story involves the Royal Bank of Canada – one of the many banks having its name abused by thieves. Royal Bank has had problems with such efforts in the past and has taken steps to protect its customers, a modern requirement of doing cyber business.

Inbox

This particular sample was intriguing as it was the first scam using a particular domain name (searches in abuse monitoring groups turned up no record) – indicative that the criminal behind it had recently established the server. It arrived after taking a world tour. Of course, as has been pointed out in these reports before, never trust an email from a spammer, scammer, or a worm. However, in the interest of dissecting the plot of this criminal, some information (such as header data) will be accepted as true.

As only the last two relay hops are visible in a header, we can only see the following:

The message leaves a machine in Romaina (from an ISP, likely a compromised client PC):

Received: from temp (user-ip-26-170-181-81-sel.rdsnav.ro [81.181.170.26])

(authenticated bits=0)

by ns.coreajin.com (8.12.8/8.12.8) with ESMTP id k26Gdbno031422;

Tue, 7 Mar 2006 01:39:41 +0900

It makes a brief visit to Korea before landing on the destination relay:

Received: from [210.114.174.160] (helo=ns.coreajin.com)

by mx.mailix.net with esmtp (Exim 4.24-MD)

id 1FGJpz-0002XP-PJ

for spam@infectionvectors.com; Mon, 06 Mar 2006 09:49:39 -0800

The message itself arrived as the following notification:

“Dear Royal Bank customer,
DATA: March 6-2006
We recently reviewed your account, and suspect that your Royal Bank Internet Banking account may have been accessed by an unauthorized third party.
Protecting the security of your account and of the Royal Bank network is our primary concern. Therefore, as a
preventative measure, we have temporarily limited access to sensitive account features.

To restore your account access, please take the following steps to ensure that your account has not been compromised:

1. Login to your Royal Bank Internet Banking account. In case you are not enrolled for Internet Banking, you will have to fill in all the required information, including your client card number or business card number and your password.

2. Review your recent account history for any unauthorized withdrawals or deposits, and check you account profile to make sure not changes have been made. If any unauthorized activity has taken place on your account! ! , report this to Royal Bank staff immediately.

To get started, please click the link below:

https://www1.royalbank.com/cgi-bin/rbaccess"

Certainly, as has been noted in phishing analyses many times over, the grammar of such a plea would alert many careful readers as to the authenticity of the email. Moreover, many people are no longer inclined to trust email at all given the rash of SMTP-based crimes. However, the use of the RBC logo, menacing text, and subsequent official-looking server information will undoubtedly fool many users.

Next Stop

After the long-traveling email reaches a user, it requests that the reader click an obfuscated URL, taking them to a server in Bangladesh. As is common, the criminal simply lifted the real RBC page and corresponding scripts for use on his or her own platform (an Apache server running on Red Hat Linux).

The author also took the liberty of adding a few small “improvements” to the page, notably a script taken from “perlscriptsjavascripts.com” which disables the right-click/context menu abilities of the browser.

The fake page does include a legitimate warning to the reader to be on the lookout for “phony” email messages. It is not unlikely that a customer may see such a warning, read the very real RBC advice against falling for phishing, and then feel much better about the server (surely a criminal wouldn’t put a phishing warning right on the fake sever…).

Acting Out

Royal Bank of Canada has placed a warning to consumers regarding such scams on their web site (http://www.rbc.com/security/bulletinPhishing.html) and link to in directly from the account login page. This has become required for financial institutions. Other actions that could be taken include rotating the static graphics’ filenames on the website. For example, in the scam email, the attacker links the following picture (the RBC logo):

<img src="http://www.rbc.com/legal/images/main-graphical-banners/

RBC_fin_grp_legal_en.jpg" width="599" height="68" /

If this was periodically replaced by a graphic that said “unofficial use of logo – be advised of possible scam,” then phishers would have to go to sending graphics with their emails (making them much larger and slower to pump out) or link them from their own web servers (which are better targeted and taken down than legitimate sites). Of course, the organization would need to update their own web pages with the new names of the logos, but this is a rather trivial task when a schedule of rotating graphics can be instituted well in advance.

Phishing is without a doubt an attack on the organization whose name is being fraudulently employed. Companies that think of the scams as such are much more likely to have taken steps to react appropriately. It is vital that phishing be considered an assault on the enterprise, just like a DoS or similar direct threat. If phishing is unchecked, it will hurt customers and thereby hurt the organization. Phishing, although a seemingly passive affront, needs to be part of the incident response team’s charge. Steps to planning a phishing defense:

Remain aware of threats in thw wild (monitoring)
Plan possible countermeasures (swapping logo files on the web site)
Know how to obtain proper contact information to remove fraudulent websites
Continuously updating consumers about attacks (specific threats)
Continuously improving consumer awareness (general anti-phishing education)

Appendix: Selected HTML of Message

Note the path of the background image, mistakenly left as a local resource – it indicates the use of a Windows machine to craft the attack.

Message-Id: <200603061639.k26Gdbno031422@ns.coreajin.com>

Reply-To: <no-reply@rbc.com>

From: "To RBC Online Banking Clients"<e-mails@rbc.com>

Subject: Important Message About Upcoming Internet Team RBC® Account***

Date: Mon, 6 Mar 2006 19:42:20 +0200

MIME-Version: 1.0

Content-Type: text/html;

charset="Windows-1251"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Content-Transfer-Encoding: 7bit

Bcc:

X-VS-Do-Not-Run: Yes

X-SA-Do-Not-Run: Yes

X-SA-Exim-Connect-IP: 210.114.174.160

X-SA-Exim-Mail-From: e-mails@rbc.com

X-SA-Exim-Scanned: No; SAEximRunCond expanded to false

Received-SPF: none (spfquery: domain of e-mails@rbc.com does not designate

permitted sender hosts) client-ip=210.114.174.160; envelope-from=e-mails@rbc.com; helo=;

X-VS-Scanned: No; VscanRunCond expanded to false

<html>

<head>

<title>Royal Bank of Canada</title>

</head>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<tr>

<!-- first table cell for dotted vertical line along lefthand side of the table

-->

<tr>