educate the enterprise. defeat phish hooks.
educate the enterprise. defeat phish hooks.
|
|
Phishing Trip Part 1: Back Again (additional entries) infectionvectors.com January 2005
See Full Report - Phishing Trip Part 1: Washington Mutual
Back Again
Sometimes it is the little things that make all the difference. The most recent Washington Mutual-based scam finds its way into the first part of the Phishing Trip by way of proving that even the a rigorous examination of a page's code may not reveal a scam at first glance. The scam arrives just like the fraudulent email known as "Message #9" in the Addendum. It is a cobbling together of various pieces to make a legitimate-looking bank request for personal information. This time, however, the web server used as the front-end for the scam was up and running. Here is what an unwitting user would see (as always, click for the full sized image):
Granted, the URL is a tip-off considering there is little attempt to obfuscate the real location of this page. The rest of the page looks pretty good though, and if you actually do any online business with Washington Mutual, you will appreciate why: the page is exactly the same as the real logon page. It is a complete copy, down to the "Forgot your password" link (which is actually pretty important for a successful password lifting scam when you thin about it). The code is not a "compilation" of parts as are the emails and some phony sites; it is taken directly from the real banking site (down to the comments in the HTML/scripting).
Is this anything earth shattering? No, Internet criminals have played this card before. But, it does illustrate a good point: telling users there is always "something fishy" about scam sites is not necessarily true. If the coders involved in this version of the WaMu scam had hidden the URL better, registered a domain close to one of Washington Mutual's, or embedded this page into the email itself, there would be little room for security administrators to say the user missed a technical detail. That's the point, however. Users need awareness training in the non-technical aspects of scamming too. That is easy to lose sight of, especially in the technical disciplines like code analysis, intrusion detection, and malware research. The code displayed above has one noticeable difference from the real site, buried in hundreds of lines of HTML/javascript:
Washington Mutual Logon Site: <form name="frmLogin" method="post" action="/access/oblix/apps/webgate/bin/webgate.dll" onSubmit="return handleLogin();">
Fake Site: <form name="frmLogin" method="post" action="index.php?MfcISAPICommand=VerifyFPP&UsingSSL=1&login=&pass=" onsubmit="return handleLogin();">
One utilizes the actual Washington Mutual web application to accept and check passwords, the other simply posts the data to a PHP script on a server used for the phony site. Also, the fake site notes a date of 10/29/2004 for the last update, the real site has today's date 01/18/2005.
The
destination: 64-95.85.145.83.IN-ADDR.ARPA.NS mistral.santnet.com
See Full Report - Phishing Trip Part 1: Washington Mutual
|
Copyright Ó 2005 infectionvectors.com. All rights reserved.
