Tuesday, July 29, 2014

SFR phish: the Gateway to all French banks

Back in April, we wrote about the French power company, EDF, being used as a universal phishing target in our article, Multi-Brand French Phisher uses EDF Group for ID Theft. Since that time we are seeing that those targeting French speaking victims are choosing yet another large utility to serve as proxy for all of the French banking world. This time the phishing lures are for SFR.

This phish has been especially popular this year. Malcovery's PhishIQ service has seen more than 1,000 SFR phish on more than 330 hacked servers so far this year, including dozens just in the month of July 2014. More importantly though, the attackers are growing more sophisticated! The attack described below is one of the most sophisticated phish we've seen to date, employing "man-in-the-middle" logins where SFR credentials are tested before the victim is allowed to proceed, and nearly a dozen customized bank security procedure questions being processed.

In a typical example of these phish, the victim receives an email that appears to be from SFR informing them that an error was made in their bill, "Ce mail vous a été envoyé dans le but de vous informer qu une erreur est survenue lors de l établissement de la dernière facture" and to "Cliquer ici pour ouvrir le formulaire de remboursement" (Click here to open the refund form). The victim is also warned that they need to fill out the form completely, or they won't get their refund (in some cases 95 Euros!):

Veuillez accepter nos excuses par cette erreur comptable. SFR : Service comptabilité de SFR Toute omission, mauvaise saisie, ou non réponse a ce mail entrainera automatiquement une amputation de la somme de quatre-vingt-quinze (95) euros sur votre compte, et aucune réclamation de sera acceptée.

While there are several versions of the SFR phish, the most sophisticated that we have encountered so far can be seen on a British horse enthusiasts website (obviously hacked). What makes this one particularly compelling is that it begins by requiring the victim to be using their true SFR userid and password. On the originating screen, the user is told to "Connectez-vous" by entering his userid (Identifiant) and password (Mot de passe).

The Action of this form of the phishing site actually passes the userid and password to SFR and confirms whether or not a true identifier has been used. If false information is provided, the phishing victim receives a message back informing him that

Vos coordonnées n'ont polo été reconnues. -- Your details have not been recognized.
Veuillez recommencer. -- Please try again.
Suite à 5 erreurs sur votre mot de passe, -- After 5 errors on your password
votre compte est bloqué. -- Your account will be blocked.

So, with a little incentive to not lie to the criminal, and a fairly strong reason to believe they are really speaking with SFR, the victim continues to page two after providing true login credentials.

On the second page, the victim is invited to choose their bank from a long list of French banks. Depending on which bank they choose, they will be prompted for appropriate additional verification details used by that bank. Banks on the list include:

  • AXA Banque
  • Banque AGF / Allianz
  • Banque de Savoie
  • Banque Dupuy de Parseval
  • Banque Marze
  • Banque Palatine
  • Banque Populaire
  • Banque Postale
  • Barclays
  • BforBank
  • Binck.fr
  • BNP
  • BNP Paribas La NET Agence
  • Boursorama Banque
  • BPE
  • Caisse d'Epargne
  • CIC
  • Coopabanque
  • Crédit Agricole
  • Crédit Cooperatif
  • Crédit du Nord
  • Crédit Mutuel
  • Crédit Mutuel de Bretagne
  • Crédit Mutuel Massif Central
  • Crédit Mutuel Sud-Ouest
  • e.LCL
  • Fortis Banque
  • Fortuneo Banque
  • Groupama Banque
  • HSBC
  • ING Direct
  • LCL
  • Monabanq
  • Societe Generale
  • Société Marseillaisle de Crédit
  • Autre Banque
Here are some examples: (Click on any image to enlarge)

Some banks require the visitor to enter their 3DSecure code

AXA Banque has a custom code for their clients

Banque Postale has security questions, such as:
  • Quel est le prénom de l'aîné(e) de vos cousins et cousines ?
  • Quel était le prénom de votre meilleur(e) ami(e) d'enfance ?
  • Quel était votre dessin animé préféré ?
  • Quel a été votre lieu de vacances préféré durant votre enfance ?

Caisse d'Epargne also provides a personalized Client code.

Even the "Cyberplus" electronic password generators used by Banque Populaire are included in this phish!

Some banks also require information about the victim's birthplace

After successfully acquiring both your SFR.com userid and password, and the necessary information to take over the bank account of the phishing victim, the criminal sends you on your way, after congratulating you on your success!
(The update was successful. SFR thanks you for using its Bank Assurance services. You can continue browsing the site with full security.)

After seeing this message briefly, the visitor is forwarded to the true www.SFR.fr website.

1 comment:

  1. Looks like you're still getting spam - even if not quite link spam - a variant. But not 20-30 per day. Now the spammer establishes a Google+ account. Anyway, Gary, keep up the good work. I enjoy keeping up with what you're working on.



Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.