English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

The unstolen Matrix

Michael
Kaspersky Lab Expert
Posted September 19, 13:52  GMT
Tags: Spam Letters, Internet Banking, Identity Theft
0.3
 

After having handled thousands and thousands of phishing emails/webpages, they usually don’t actually reach me in any way or form. They are processed and added to our detection list in what is now a merely routine task. But recently I got a mail which was different because it appeared to be sent from my bank.


Spammers send out huge amounts of such emails over the Internet. In this case it reached our address that receives malicious samples. So we didn’t need to go and search for any maliciousness - it came to us of its own volition. Usually I can spot fake emails because they concern organizations which I have no connection to. But this time it was different because it was a bank that I actually use. My salary goes there and I got a clear insight into how the first stage of social engineering is accomplished. It built a kind of ‘trusted relation’ because it came from ‘my bank’ and only they know that I am a customer there.

In the past, fake emails like this were often easy to identify due to the terrible spelling and/or grammatical mistakes. But this time the mail content looked quite convincing, at least at first glance. The Japanese language is incredibly rich and beautiful because it consists of an extensive system to express politeness and formality. Some phrases in the email simply lacked the level of a well-educated writer.

The email had an executable file attached. Its purpose is to steal the passwords and “Transaction Authentication Number” (TAN) of unsuspecting users.
Here is a screen capture of the mail attachment when executed …


And this is a snapshot of a real matrix that has not been stolen. This is mine and the numbers are rendered unreadable so that you cannot retrieve money from my bank account :-).


According to the “Information-technology Promotion Agency Japan” (IPA) and the “Japan Computer Emergency Response Team Coordination Center” (JPCERT), some similar binary files were received and reported by users in Japan. The “Bank of Tokyo-Mitsubishi UFJ” is aware of this malicious activity and posted a warning to its users on 25 August.

Another recent case may be a sign that attacks on Japanese organizations are on the rise. Here is a phishing web page hosted in Poland that was still alive at the time of writing. Besides our Kaspersky Phishing-Popup, the “Opera” browser also warns about the dangers of this site.


We were able to discover the related “Phish-Kit”, a zip archive containing all the files for this threat. The content suggests that the criminal who planted these files might be Romanian. Here are the details:


We can see a Gmail address set as the receiver of the harvested data.

Users of Kaspersky Lab solutions are protected from this threat and, as usual, we would like to remind everybody to be extremely cautious with executing mail attachments of any kind from strangers.


7 comments

Oldest first
Threaded view
 

fp

2011 Sep 21, 01:09
0
 

real address

Hello, I am wondering how is it possible to send from the original domain. In the past I have got phishing emails of ebay second chance offer with original ebay domain. I don't understand the technique behind that. Are the domains hacked, could it happen to every domain?

Reply    

Michael

2011 Sep 21, 06:42
0
 

Re: real address

Hello, the visible sender of your received email can quite easily be faked. This is known as "email spoofing". In many cases a deeper check of the email's properties/headers may be helpful.

Reply    

fp

2011 Sep 21, 10:13
0
 

Re: Re: real address

I know for this kind of email address spoofing, but as I can remember in that time I received fake emails that appeared that come from ebay domain.

Reply    

fp

2011 Sep 21, 11:07
0
 

Fake email header I received apparently from ebay in 2007

This is the spoof mail (it is confirmed to me through ebay email check). Take a look at this header (I have censored my username):

From eBay Member: **** Wed Sep 12 21:51:06 2007
X-Apparently-To: ****@yahoo.com via 206.190.49.34; Wed, 12 Sep 2007 22:51:06 -0700
X-Originating-IP: [66.135.197.14]
Return-Path:
Authentication-Results: mta181.mail.re3.yahoo.com from=ebay.at; domainkeys=pass (ok)
Received: from 66.135.197.14 (EHLO mx16.sjc.ebay.com) (66.135.197.14)
by mta181.mail.re3.yahoo.com with SMTP; Wed, 12 Sep 2007 22:51:06 -0700
Received: from sj-cgi102.sjc.ebay.com (sj-cgi102.sjc.ebay.com [10.6.17.168])
by mx16.sjc.ebay.com (8.13.5/8.13.5) with SMTP id l8D5p5L1030643
for ; Wed, 12 Sep 2007 22:51:06 -0700
DomainKey-Signature: a=rsa-sha1; s=dksm28; d=ebay.at; c=nofws; q=dns;
h=to:from:reply-to:mime-version:content-type:subject:date;
b=SRb5CKY1pZnTFOOTFNqWzWQZtFJToS v5co/Mv+Q5pvDItq+0T9N1Af1jzokI/DlXe
2ys9p/5reGnnWRZRg8QqA==
Message-Id:
To: ****@yahoo.com
From: "eBay Member: ****"
Reply-To: ****@yahoo.com
MIME-Version: 1.0n
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Accepted Payments Policy
Date: Wed, 12 Sep 2007 21:51:06 PDT
Content-Length: 143

Reply    

fp

2011 Sep 21, 14:40
0
 

Re: Fake email header I received apparently from ebay in 2007

I just took a look at this header once more time and I saw that this appear to come from my username. I have also to say that my ebay account was once compromissed. I change the password from that attack and I didnt notice until now suspicious behavior of my account.

Reply    

jw

2013 Jul 04, 17:56
0
 

MUFJ's short password limit

Hi Michael,

I'd like to ask what you think of MUFJ's short password limit (8 characters)-- and limited to (if I remember correctly) alphanumeric characters only -- that they imposed since late last year. Having read about what recent GPUs can do re password hacking, I'm feeling a bit anxious about MUFJ's security. Do you think they're overconfident?

Cheers
jw

Reply    

Michael

2013 Oct 12, 07:37
0
 

Re: MUFJ's short password limit

Hello jw-san,

Sorry, I am mot aware of the policy which you mentioned imposed last year. My current password contains also non alphanumeric characters but still - it would probably take not much longer than one day to 'crack' it (IF MUFG would allow that many login attempts).

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog