Quick analysis of a phishing attack

Twice in three days I have received emails purporting to be from ASB and ANZ Bank. Both are New Zealand banks, and the fact that I’ve received two of them clearly indicates that my email address is on a spam database somewhere and geographically tagged New Zealand. Easy enough – my .co.nz domain uses it as the registration address, and it has a New Zealand residential address on it.

I see these all the time, but the execution of this particular attack struck me as unusually slick however, hence the blog post.

The email

The ANZ email subject was “Please remove your Online Banking Limitation! Last warning!”, whereas the ASB email was titled “Online banking suspension warning!”. Both are clearly designed to panic the user into clicking the link and entering their banking details. The ANZ subject has a hint of ESOL and the grammar in the emails is sub-standard, I suspect the origin is a country where English is not the first language.

The first point of interest is the fact that the emails got through to me at all – Google’s spam filtering is second to none. As best I can tell they used hacked legitimate mail servers, and sent the emails one at a time. Below are the headers from the ASB email:

Delivered-To: my@email.com
Received: by 10.100.215.9 with SMTP id n9cs87086ang;
Thu, 17 Mar 2011 16:50:07 -0700 (PDT)
Received: by 10.227.172.193 with SMTP id m1mr389850wbz.201.1300405806261;
Thu, 17 Mar 2011 16:50:06 -0700 (PDT)
Return-Path:
Received: from mars.servers.rbl-mer.misp.co.uk (mars.servers.rbl-mer.misp.co.uk [188.65.116.66])
by mx.google.com with ESMTPS id k6si3701648wbc.86.2011.03.17.16.50.05
(version=TLSv1/SSLv3 cipher=OTHER);
Thu, 17 Mar 2011 16:50:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of squiddyc@mars.servers.rbl-mer.misp.co.uk designates 188.65.116.66 as permitted sender) client-ip=188.65.116.66;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of squiddyc@mars.servers.rbl-mer.misp.co.uk designates 188.65.116.66 as permitted sender) smtp.mail=squiddyc@mars.servers.rbl-mer.misp.co.uk
Received: from squiddyc by mars.servers.rbl-mer.misp.co.uk with local (Exim 4.69)
(envelope-from )
id 1Q0MxA-0008N3-F7
for my@email.com; Thu, 17 Mar 2011 23:50:04 +0000
To: my@email.com
Subject: Online banking suspension warning!
From: ASB Bank
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Thu, 17 Mar 2011 23:50:04 +0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mars.servers.rbl-mer.misp.co.uk
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [827 823] / [47 12]
X-AntiAbuse: Sender Address Domain - mars.servers.rbl-mer.misp.co.uk

Basically as close to legitimate as you can get, the only clue is the spoofed “From” header, but this is trivial. The ANZ email came from mail.gpschile.com, which appears to belong to a legitimate company in Chile. Misp.co.uk appears to be owned by UK Webhosting Ltd. Given that these attacks are usually done in a macro fashion, they are probably legitimate mail servers that have been compromised.

Certainly, this is not your run-of-the-mill spam run.

The Link

I’ll use the ANZ email for analysis here as it’s the one still going at the time of writing.

The link from the email points to a server which immediately redirects you to another server as can see in the curl transaction below:

The reason for the redirect is to defeat phishing filters. When a site is reported as a forgery it is almost always going to be the redirected url and not the url from the email because users will click “help > report web forgery” and submit the page from there. This however still leaves the domain in the original link off the black list, so once the site is blocked the attacker is free to redirect to a new domain that is not yet blacklisted, increasing the window of attack for each email that is sent.

This makes the server performing the redirects quite interesting – it is likely that it is owned by the attacker or totally compromised (basically rooted).

The domain was registered by proxy just 7 days ago:

Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
[...]
      Created on: 13-Mar-01
      Expires on: 13-Mar-13
      Last Updated on: 09-Mar-10

The anonymous registration, age of the domain, and lack of evidence of any legitimate use, all support the notion that this machine and the domain name are paid for and controlled by the attackers.


Not much there…

The Site

Next we have the server hosting the phishing site itself. Hard to tell if this is compromised server or not – it appears to be with a dedicated hosting provider called theplanet (now softlayer). The OS and Apache installations seems different from the redirect server, but what is interesting is that mod_auth_passthrough is installed.

I would appear that mod_auth_passthrough is used to pass the authentication details that the user enters through to the bank’s actual web site. I did a test of this (with dummy credentials obviously), and got an error page from the bank. This means that on entering their details correctly, a victim will probably be logged in to the real site, thus they are less likely to be aware that they’ve been phished, and also less likely to phone the bank because they couldn’t log in.

It should also mean that the bank has a clear method of identifying users that have been phished – look through the logs for a referrer (or lack of). The banks could probably help mitigate this particular attack by checking the cookie to make sure that the user actually visited the login page before the credentials were entered, and warn them if they arrived from an unknown login page, or even lock the account immediately.

A screenshot of what you’d see in a web browser is below:

Basically, a copy of the bank’s site as you’d expect.

Summary

This is a well organised and sophisticated attack. The phishers clearly have a whole swathe of compromised domain names, mail servers and web servers under their control in addition to control servers performing redirections. Spam filters and phishing blacklists aren’t doing much to help here, the best defense, as always, is common sense.

I have emailed the owners of all compromised domains that I know of notifying them that their domain is hosting a phishing site. One got back to me about 18 hours later and I notice that the domain now redirects to a helpful page about phishing and how to spot web forgeries. At least that’s one batch of phishing emails that no longer work, but it could have caught a lot of people in 18 hours, and I’ve no reason to doubt that other domains will last longer.

The problem is that the usual response of reporting each site to Google or Microsoft doesn’t really work here. I don’t even know if a redirect server qualifies as a “web forgery” by their definitions. The best way to take them down seems to be talking to the admins of the compromised domains and getting them to remove the fraudulent entries.

Update

12 hours later and it’s still there…

Update 2

Now receiving emails purporting to be from Trademe with an almost identical MO. Either this is an off-the-shelf phishing solution or the group responsible is casting a wide net!

Subjects so far:

  • Please restore your account access!
  • Please restore your account access! Last warning!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.