Monday, February 17, 2014

Interac Phishers try their hand at IRS

Last week Malcovery Security had an interesting phish show up claiming to be related to the IRS. This one turns out to be a great example of the (activate 1940 horror movie narrator voice) The POWER OF CROSS BRAND INTELLIGENCE (/activate). Here's what the website looked like:


Phish from: bursafotograf.com / profiles / interac / RP.do.htm

In this phish, the "big idea" is that you can escalate your IRS Tax Refund if you specify which bank you would like the refund to be deposited into. When you click the bank's logo, you are taken to a phishing site for that brand and asked to provide your Userid and Password, which are then emailed to the phisher. Here's an example of the page you would see if you clicked on the Regions Bank logo (graphic courtesy of PhishTank submission 2254700.)

Things get quite fascinating though when we hide the graphics:

Why would an IRS phish have ALT TEXT including for four of the largest Canadian banks? By looking at the source code for the phishing page, we see that this is a very lightly rebranded Interac phish: First, the website Title is "INTERAC e-Transfer" ...

INTERAC is a very interesting money transfer system used in Canada that allows anyone to send money to anyone else simply by using either their email address or cell phone text messaging service. A Transaction code is texted/emailed from the payer to the recipient, allowing the recipient to login to the Interac service and choose what account, and what bank, they would like to receive the funds into.

The phish has some Javascript at the top that includes variables like "var provinceList = new Array ("Alberta", "British Columbia", "New Brunswick", "Newfoundland and Labrador", "Nova Scotia", "Ontario", "Prince Edward Island", "Saskatchewan");" and a pull down menu with options "Select Institution", "Select Province or Territory" and "Select Credit Union."

As we continue into the table of graphics, we see that the phisher has changed his graphics and links to refer to the American banks, with code such as: 

href = chasecustomerprofile
img src = chasecustomerprofile/css/images/chaseNew.gif .... but with "alt=CIBC"

href = navy/index.htm
img src = imgs/nfculogo.png  .... but with "alt=President's Choice Financial"

href = suntrust
img src = imgs/suntrust.png  .... but iwth "alt = RBC Royal Bank"

etc . . .

Phishing Cross-Brand Intelligence

It seems fairly clear that we should be able to find more phishing sites that used the original Interac code, and of course we can in the Malcovery PhishIQ system.

Here is a phish that was seen on June 21, 2013 on the website freevalwritings.com / wp / interacsessions / RP.do.htm

And another first seen on May 28, 2013 on the website anglaisacote.com / interac / RP.do.htm (note the common path on both of these that matches the current IRS phish = "interac/RP.do.htm" RP.do.htm is used on the REAL Interac website.

Phishing & Spam Cross-Brand Intelligence

An interesting thing about phishing emails that differentiates them from standard spam. While normal spam is often sent via botnets, phishing emails tend to be sent from the same IP address over a period of time. When we use Malcovery PhishIQ to examine the IRS version of the Interac phish, which attempts to steal money from Bank of America, Chase Bank, Navy Federal Credit Union, SunTrust, Regions Bank, Wells Fargo, USAA, and Citi, we see that the originally advertised URL was actually "130.13.122.25 / irsjspmessageKey-IG09210358i /". That URL forwarded visitors to the website "ernursusleme.com / Connections / irsonlinedeposit /" which then forwarded the visitors to "bursafotograf.com / profiles / interac / RP.do.htm" which is where the screenshot at the top of this article was captured.

So, to find spam messages related to this phish, it seems reasonable to search the Malcovery Spam Data Mine for emails that advertised URLs on 130.13.122.25.

We found two sets of spam messages that advertised URLs on that host in our spam collection. One batch from January 8, 2014 and the other batch from January 28th and January 29th, 2014.

The January 28th and January 29th emails claimed to be from "From: USAA (USAA.Web.Services@customer.usaa.com)" with an email subject of "New Insurance Document Online".

Two of the emails were sent from 122.3.92.116 (Philippines) and one email was sent from 70.166.118.54 (Cox). What other emails were sent from those IP addresses?

Here are the emails from 122.3.92.116

Date: Subject: From NameFrom Email
Dec 13, 2013Your account has been limited until we hear from youservice@ intl.paypal.comsurvey.research-3086@ satisfactionsurvey.com
Dec 13, 2013Your account has been limited until we hear from youservice@ intl.paypal.comsurvey.research-3086@ satisfactionsurvey.com
Dec 14, 2013Your account has been limited until we hear from youservice@ intl.paypal.comsurvey.research-3086@ satisfactionsurvey.com
Dec 16, 2013Confirmation - personal information updateUSAAUSAA.Web.Services@ customermail.usaa.com
Dec 18, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 18, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 18, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 23, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 30, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 31, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 31, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Dec 31, 2013INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Jan 5, 2014Notification of Limited Account AccessPayPalPayPal@ abuse.epayments.com
Jan 7, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 7, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 7, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 8, 2014View Your USAA Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 17, 2014Canada Tax send you an INTERAC e-Transfernotify@ payments.interac.canotify@ payments.interac.ca
Jan 19, 2014Your dispute has been ended 01/20/2014: Get your money backPayPalpaypal.feedback@ email.com
Jan 19, 2014Your dispute has been ended 01/20/2014: Get your money backPayPalpaypal.feedback@ email.com
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 20, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 21, 2014View and Sign Your USAA Insurance PolicyUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 21, 2014Your dispute has been ended 01/20/2014: Get your money backPayPalpaypal.feedback@ email.com
Jan 28, 2014New Insurance Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Jan 28, 2014New Insurance Document OnlineUSAAUSAA.Web.Services@ customermail.usaa.com
Feb 8, 2014Canada Revenue send you an INTERAC e-TransferTD Canada Trustnotify@ payments.interac.ca
And here are the emails from 70.166.118.54

Date: Subject: From NameFrom Email
Jan 29, 2014New Insurance Document OnlineUSAAUSAA.Web.Services@customermail.usaa.com
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 3, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 4, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 4, 2014INTERAC e-Transfer Receivednotify@ payments.interac.canotify@ payments.interac.ca
Feb 8, 2014Canada Revenue send you an INTERAC e-TransferRBC Royal Banknotify@ payments.interac.ca
Feb 9, 2014Canada Revenue send you an INTERAC e-TransferRBC Royal Banknotify@ payments.interac.ca
Feb 11, 2014Wells Fargo ATM/Debit Card Expires SoonWells Fargo Onlinealerts@ notify.wellsfargo.com
Feb 11, 2014Wells Fargo ATM/Debit Card Expires SoonWells Fargo Onlinealerts@ notify.wellsfargo.com

The Power of Cross-Brand Intelligence

To summarize, we started with a new IRS phish, and through some comparisons in the Phishing and Spam Data Mines, ended with phish for USAA, PayPal, Wells Fargo, and Interac all being linked together. Investigators interested in learning more are encouraged to reach out!

Posted by Gary Warner at 10:26 AM
Labels: , ,

1 comment:

  1. Glen S.R.Woytuck2:02 AM

    If it's that easy to find where these emails are originating, why can't our government (or whomever is in control of blocking websites) just block these IP's from sending email into Canada (or USA) and from being accessed from here? If the Chinese can block Facebook, (as does my employer) how hard can it be for a country to block a KNOWN criminal IP?

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.

Subscribe to: Post Comments (Atom)