Subscribe to RSS feeds


Feb6
by Robert McArdle (Threats Analyst)

For generations, kids all over the world have enjoyed Spot The Difference puzzles, but who says us adults can’t join in the fun? Can you spot the difference between the real banking login page, and the phishing attack below?

Not very easy is it? Let’s look at the source code and see what differences appear there. Well, to be honest there are very few differences and most are simply a case of correcting the paths or images/links from the real site to still work correctly on the phishing site. For example, in the picture below the red highlighted site is the real one, and the yellow the phishing site:

The truth is the source code is almost identical, the form on the page is submitted to the page itself. In the case of the real bank, this will authenticate and log the user in. In the case of the phishing one - well, let’s just say they are most likely not going to use your details to send you free money.

The only real difference noticeable to the user is in the URL, and even this is very difficult to spot unless you are really looking for it.

Where does this threat come from? It is currently being spammed around by a certain well-known botnet (starts with “S” and ends with “torm”), specifically targeting Australian email accounts. It looks like this page was actually put together by someone outside of the normal Storm group, but they are most likely renting a section of the network. Luckily, Trend Micro automatically protects our customers by blocking the URL with our Web Reputation Services.

One last thing, remember when I said there were virtually no differences between the 2 page sources? Well I lied a little bit - check this out (again Red=Real, Yellow=Fake)

When you access the real banking page, a piece of PHP script takes your IP address and stores it as a hidden variable on the page, so the bank can track what IPs people are logging in from. The top IP address is my own from when I accessed the site. The bottom one, however, is the attackers’, from when they downloaded the real page to create their phishing site. They obviously never bothered removing this incriminating evidence (or just did not notice) before putting up the page. However, the IP traces back to a standard ISP in Argentina, and users most likely recieve a new IP every time they connect to the network - so the chances of finding the culprits are unfortunately slim.



This entry was posted on Wednesday, February 6th, 2008 at 1:58 pm and is filed under Phishing . Responses are closed, but you can trackback from your own site.



Comments are closed.


Yahoo! Jukebox Plays Malware Instead of Hits
How to Get Cash… and Malware


 
TrendWatch Hijack This Security Tips for Consumers
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
Glossary of Threat Terms

 
© Copyright 2008 Trend Micro IncAll rights reserved. Legal Notice