Tuesday, August 16, 2016

Kelihos Botnet sending geo-targeted Desjardins Phish to Canadians

As we mentioned in our blog last week (see: Kelihos botnet sending Panda Zeus to German and UK Banking Customers), the Kelihos botnet is now using "geo-targeting" based on the ccTLD portion of email addresses.  Today, those recipients whose email address ends in ".ca" are receiving a French language spam message advertising one of many Desjardins phishing websites:

<== French Desjardins Phishing Email || Google Translate ==> 
Some of the email subjects being used include:

Subject:  Renouvellement de votre compte Desjardins
Subject:  Solutions en ligne Desjardins
Subject:  Veuillez regulariser votre compte Acces
Subject:  Desjardins Reactivation
Subject:  Reactivation de votre compte AccesD

Each of these URLs is currently resolving to the IP address 5.166.183.135:

  hxxp://client.accesd.com-page-reactivation-4955-accesd-desjardins[.]com/web 
  hxxp://espace.client.accesd.com-page-reactivation-3953-accesd-desjardins[.]com/login 
  hxxp://connection.desjardins.com-page-reactivation-3953-accesd-desjardins[.]com/id 
  hxxp://membre.espace.desjardins.com-page-reactivation-1734-accesd-desjardins[.]com/page
  hxxp://membre.accesd.com-page-reactivation-5354-accesd-desjardins[.]com/enligne
  hxxp://membre.desjardins.com-page-reactivation-5354-accesd-desjardins[.]com/accesd 
  hxxp://espace.client.accesd.com-page-reactivation-1734-accesd-desjardins[.]com/login


Here is a pictorial walk-through of the phishing website:

We begin by entering a Credit Card number -- it must be a number that passes a Luhn check:


After entering a valid CC#, the next page asks the phishing victim for three security questions and their answers:


And lastly, the phisher's try to get any and all possible additional information they can!

 
Only after entering a valid password and a number that matches the mathematical rules for a Canadian Social Insurance Number does the phisher send the victim to the real Desjardins website!

Beware, Canadian friends!   And let us hope that our shared victimization increases our mutual law enforcement agencies desire to stop this botnet!



No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.