After having handled thousands and thousands of phishing emails/webpages, they usually don’t actually reach me in any way or form. They are processed and added to our detection list in what is now a merely routine task. But recently I got a mail which was different because it appeared to be sent from my bank.
Spammers send out huge amounts of such emails over the Internet. In this case it reached our address that receives malicious samples. So we didn’t need to go and search for any maliciousness - it came to us of its own volition. Usually I can spot fake emails because they concern organizations which I have no connection to. But this time it was different because it was a bank that I actually use. My salary goes there and I got a clear insight into how the first stage of social engineering is accomplished. It built a kind of ‘trusted relation’ because it came from ‘my bank’ and only they know that I am a customer there.
In the past, fake emails like this were often easy to identify due to the terrible spelling and/or grammatical mistakes. But this time the mail content looked quite convincing, at least at first glance. The Japanese language is incredibly rich and beautiful because it consists of an extensive system to express politeness and formality. Some phrases in the email simply lacked the level of a well-educated writer.
The email had an executable file attached.
Its purpose is to steal the passwords and “Transaction Authentication Number” (TAN) of unsuspecting users.
Here is a screen capture of the mail attachment when executed …
And this is a snapshot of a real matrix that has not been stolen. This is mine and the numbers are rendered unreadable so that you cannot retrieve money from my bank account :-).
According to the “Information-technology Promotion Agency Japan” (IPA) and the “Japan Computer Emergency Response Team Coordination Center” (JPCERT), some similar binary files were received and reported by users in Japan. The “Bank of Tokyo-Mitsubishi UFJ” is aware of this malicious activity and posted a warning to its users on 25 August.
Another recent case may be a sign that attacks on Japanese organizations are on the rise. Here is a phishing web page hosted in Poland that was still alive at the time of writing. Besides our Kaspersky Phishing-Popup, the “Opera” browser also warns about the dangers of this site.
We were able to discover the related “Phish-Kit”, a zip archive containing all the files for this threat. The content suggests that the criminal who planted these files might be Romanian. Here are the details:
We can see a Gmail address set as the receiver of the harvested data.
Users of Kaspersky Lab solutions are protected from this threat and, as usual, we would like to remind everybody to be extremely cautious with executing mail attachments of any kind from strangers.
2011 Sep 21, 01:09
Hello, I am wondering how is it possible to send from the original domain. In the past I have got phishing emails of ebay second chance offer with original ebay domain. I don't understand the technique behind that. Are the domains hacked, could it happen to every domain?
Re: real address
Hello, the visible sender of your received email can quite easily be faked. This is known as "email spoofing". In many cases a deeper check of the email's properties/headers may be helpful.
Re: Re: real address
I know for this kind of email address spoofing, but as I can remember in that time I received fake emails that appeared that come from ebay domain.
2011 Sep 21, 11:07
Fake email header I received apparently from ebay in 2007
This is the spoof mail (it is confirmed to me through ebay email check). Take a look at this header (I have censored my username):
Re: Fake email header I received apparently from ebay in 2007
I just took a look at this header once more time and I saw that this appear to come from my username. I have also to say that my ebay account was once compromissed. I change the password from that attack and I didnt notice until now suspicious behavior of my account.