Posts filed under 'Phishing'
May 1st, 2008 by Fatima Bancod (Email Security Analyst)
At its official Web site, the U.S. Treasury Department Federal Credit Union (TDFCU) makes known that its mission is “to serve the financial needs of our members as a safe and sound cooperative financial institution under sponsorship of the Department of the Treasury.”
Its members include employees of the Treasury Department, Department of Homeland Security, U.S. Courts, and other similar companies & organizations in similar fields of government service. The TDFCU also has members who live, work, and do business with other similar governmental organizations located in Washington, D.C.
Recently, the TrendLabs Content Security team came across the phishing URL:
http://75.145.112.12/homepage/www.tdfcu.org/index.php
This loads a spoofed Web site that bears a close resemblance to the legitimate TDFCU’s online login page. This bogus site also lacks SSL security, as indicated by the absence of the lock icon in the status bar and the protocol used by the Web site.
One obvious indications that this is a bogus website is that no attempt has been made to disguise the phishing URL in the address bar, so it is quite easy for a user to determine that the website is not legitimate.
The phishing site asks also, of course, unwitting users for their IDs and passwords. After clicking the login button, the user will be redirected to a web page that prompts for information, which includes the Card Holder Name, e-Mail Address, Phone Number, Credit Card Number, Expiration Date, Code Verification Number, and ATM PIN.
Of course, this site is now blocked by Trend Micro’s WCS (Web Classify Server).
Like previous IRS-related phishing cases, this one could be targeting more high-profile personalities since members may belong to important government institutions (as mentioned in the beginning of this post). The TDFCU reminds its members that it does not send out e-mail requesting that the recipient download information onto their computers.
At the legitimate TDFCU website, they advise: “If you receive a request that appears to be from the Treasury Department Federal Credit Union with attachments requesting that you download information to your computer for security, DO NOT DO IT.”
That’s always good advice.
Updated by Mayee Corpin (Technical Communications) & Paul Ferguson (Advanced Threats Research)
April 28th, 2008 by JM Hipolito (Technical Communications)
Our friends from RSA have recently reported about the latest one-two punch employed by the infamous Rock Phish gang (also reported here and here). Best known for their easy-to-use kits that yield professional looking phishing pages, Rock Phish now introduces information-stealing malware — dubbed as the Zeus Trojan.
This attack is reminiscent of the Bank of America phishing attack, which we reported several days ago, wherein users are prompted to install a “digital certificate” in order to access the bank’s online login page. Incidentally, the phishing page was also Rock Phish.
And apparently there were more: Trend Micro Advanced Threats Researcher Paul Ferguson and the TrendLabs Content Security team came across a couple of malicious “certificates” detected as TSPY_PAPRAS.AC and TSPY_PAPRAS.AD. These spyware each target the Comerica and Colonial banks, respectively.
Below are screenshots of the phishing email and Web page targeting Comerica account holders:
Traditional phishing involves phishers sending out email messages that lead users to a fake Web site resembling login pages of certain institutions or companies. This time they’ve made sure they can get sensitive user information even without getting users to log on to some fake page. They do this by planting a spy in users’ systems so any relevant user action can be transmitted to a remote server. Unprotected users thus stand to lose sensitive information.
This recent development even makes it more important to remind users to be wary of clicking links in email communications, and to keep scanning engines up-to-date.
Addtional text by Paul Oliveria
April 17th, 2008 by Aivee Cortez (Anti-spam Engineer)
A digital certificate is an electronic “credit card” that establishes your credentials when doing business or other transactions on the Web. This certificate is being used by many banks for secure online banking.
Unfortunately, hackers and phishers have easily adapted to this security technique.
A recent phishing attack using digital certificates was seen in the Bank of America case. In order to access the Bank of America Direct login page, the client must have a valid digital certificate installed on their personal computer. The URLs, in rockphish form, lead the user to a page asking them to create a certificate or to download the digital certificate. In Internet Explorer, it asks the user to run a Microsoft ActiveX control called “Microsoft Certificate Enrollment Code.”
After running the add-on and upon filling up the required information, it asks the user to download an .EXE file, sophialite.exe.
This is quite clever. From the explicit display of login or confirmation page that is easily verified as phishing, they have turned to the creation of digital certificates, a ploy that can actually convince users to take the bait. Another thing, these URLs are in rockphish form; as of now we already have 93 different domains using this technique. All are blocked by WCS (Trend’s Web Classification System for blocking malicious domains and URLs).
April 2nd, 2008 by Jake Soriano (Technical Communications)
Voice phishing is making some noise of late.
This technique — more popularly (and creatively) known as “vishing” — uses the all-too-familiar spammed email message format as initial bait. Trend Micro antispam researchers discovered the following messages which again use the IRS in luring users to hand out sensitive information:
This time, however, the striking difference from past phishing emails is that instead of a malicious URL, the message contains a number that users are encouraged to call for information on possible “tax refunds.” An automated voice recording answers queries and asks callers for sensitive information: credit card and social security numbers, for instance.
The timeliness of this attack is evident as deadline for filing taxes is nearing. Users may have learned to not trust unknown links; this time Trend Micro advises users to be extra careful in disclosing information even to “customer service” numbers as well.
April 2nd, 2008 by Ralph Hernandez (Anti-phishing Engineer)
Trend Micro uncovered another phishing Web site that attempts to steal confidential credit card information.
Below is a screenshot of the Web site:
Using string manipulation, it is able to spoof the official Web site of the Royal Bank of Canada. Note that the said URL contains a variation on the actual domain name (”banking” vs. “bank”) to trick the users into thinking that it is the official Web site of the affected bank.
The spoofed URL masks the actual phishing URL by using a certain frame source. This frame source URL is responsible for gathering account-related information, such as credit card numbers and account passwords, from the affected users.
What is interesting about this phishing attack is that when the first frame source URL is blocked, a second frame source is used. The next time the phishing Web site is visited, it already uses another frame source URL. This is clearly a distinct approach in circumventing security restrictions related to phishing attacks.
Furthermore, it was determined that the domain used by this phishing Web site is registered for just one year. Dubious indeed, if one considers how a supposedly legitimate Web site intends to operate for such a short term.
As of this writing, Trend Micro customers are protected from this phishing attack, with the said frame sources already blocked by our products, preventing them from redirecting unknowing users to other phishing Web sites.
Previous Posts
