Mal-Aware.org

Phishing scams for banks aren’t really new, but one received last night came with a new twist. The spam e-mail stated:

Bank of America Warning

Dear Bank of America Customer,

During our regular update and verification we could not verify your current
phone number.
Either your information has been changed or it is incomplete.
Please update your phone number by
CLICKING HERE [http://www.xxxxxxx.de/gallery/albums/userpics/boa/] or on the link: http://www.xxxxxxx.de/gallery/albums/userpics/boa/ [http://www.bankofamerica.com/updatephone]

If this is not completed by April 24 , 2007, we will be forced to suspend
your account indefinitely.

The root domain was a hacked, legitimate site running one of the commonly used photo gallery scripts.

The scam page started out with an eye-catching demand that the victim forward their phone number to the phisher’s number as part of the ‘verification’ process:

Click on Image to zoom

There were two versions of the scam page. The first had specific, numbered instructions:

To confirm you phone number please fallow the steps :

Step 1- Go to your phone and Dial *72
Step 2- Dial 707xxxxxxx (Bank of America Secure Line )
Step 3- Your phone is confirmed
You will receive a call from us in 1 h for final verification !

What followed for both was the ‘standard’ identity theft form:

Click on Image to zoom

In checking with one carrier, Qwest, the procedure followed with a forwarded number is the phone will ring at the source location first. If unanswered after a certain number of rings, it will transfer through to the forwarded number.

It’s unknown what the protocol is for all carriers. The obvious concern is that there is no ‘source’ location ring and the forwarding occurs immediately, which in many tests have proven to be standard.

Depending on how long it takes the victim to realize they’re not getting inbound calls and resolve the problem, the bank is effectively blocked from conducting fraud checks for suspicious account activity and/or attempting to advise their customer of the identity theft and the need to cancel their cards. Also, from a “cashing out” perspective, if there is any required phone verification to use the credit card on the account, the verification will succeed, as the forwarded number will be routed to the phishers.

The site has been disabled and the phone number appears to be a SkypeIN number that goes to voicemail.

 
Slashdot It!

Secure Science Corporation released a graph on their surveillance of a carding forum that stole a minimum of 21,000 credit/debit cards over the past 3 months. The graph highlights the top 10 financial institutions and the amount of loss. According the statute in the 9th circuit, each card is valued at $500.00 on average. This number conservatively states that one carding forum can cause over $10,500,000.00 in loss in 3 months.

Click image to enlarge.

The latest phishing tactic moves the threat of phishing from the internet to the phone, while using easily accessible Voice over IP technology. From TechWeb.com:

A security firm on Tuesday reported discovering a phishing scheme in which the scammers used Internet telephony to copy a bank’s automated voice system in order to steal customers’ passwords, account numbers and other personal information.

In the attack that occurred last week, con artists sent spam disguised as coming from a small bank in a large East Coast city, Cloudmark Inc., a messaging security firm, said. The message asked the recipient to dial a telephone number to talk with a bank representative.

The number went to an automated voice system that asked for an account number and personal identification number, or PIN, in order to access the caller’s finances. The number was obtained through a regular provider of voice over Internet protocol services.

There was no indication that the VoIP provider was aware of the scam, said Cloudmark, which declined to name the company and the spoofed bank.

The incident reflected a mutation in the tactics used by phishers to snare victims. More traditional schemes involve spam asking the recipient to visit their bank’s Web site through a link in the message. At the bogus site, the visitor is asked to input personal information.

The latest scheme, however, is the first Cloudmark has seen using Internet telephony. An investigation by the San Francisco security firm showed that the scammers had used open-source software called Asterisk to convert a computer into a PBX, or private branch exchange, running an automated telephone information system. The voice system sounds exactly like the bank’s phone tree, directing the caller to specific extensions, Adam J. O’Donnell, senior research scientist at Cloudmark, said.

Click here to continue reading the story.

Brian Krebs’ SecurityFix Blog has an article describing the “real” numbers behind the data theft business. For the samples, he targeted only one phishing group’s success and announced the numbers; over 13,000 logins stolen in one day including 3,536 credit cards, 255 paypal accounts, 1,038 ebay accounts, and 2,609 hotmail accounts.

Secure Science Corporation released an advisory regarding the fact that the latest Pharming techniques utilized within malware has broken SSL. Chapter 5 of Phishing Exposed, a book by Lance James, who happens to work for Secure Science, demonstrated this technique in his book as an upcoming threat that phishers will take advantage of. The report on how this SSL Pharming attack occurs can be found on the advisories page at Secure Science.

From the bad ‘ol days of phishing malware, Berbew (something seen in ‘03 and ‘04 mainly) is back on the scene as a trojan, and a worm. Either some group has made a variant with some complications to it, or they merely decided to get back in the scene and add some improvements. This version comes in 2 main parts, the worm to spread, and the trojan to steal. Here is my analysis of this so far:

Thanks to Jose Nazario for the samples!

History:
Drops C:\WINDOWS\system32\Jmlidaek.exe &
C:\WINDOWS\system32\Igikbo32.dll (This appears to be a mere file handler
api)
Registry Value Set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad,
IIDGHBEJ
Then Jmlidaek.exe drops C:\WINDOWS\system32\IIDGHBEJ.exe

The IIDGHBEJ.exe is the worm that propagates the data by attempting to
log into LAN $IPC shares through port 445.
It looks like it binds a HTTP Server onto the victim port 80 and tells
the other computers to grab it from the previous victim.
the IIDGHBEJ.exe (worm) is scanning the 10/172/192 ranges.

The boot.sys file sets a new registry value:
HKLM\SYSTEM\ControlSet001\Control\Session Manager,
PendingFileRenameOperations

If a user logs into a bank, such as bankofamerica.com the Jmlidaek.exe
(trojan) file will write a file to the system such as:
C:\WINDOWS\system32\datkkq32.dll which houses the logged data in this
format:

http://www.bankofamerica.com/ 0:ui_mode:question
5:Current_Passcode:234234234234 8:from:homepage 9:Customer_Type:CA
A:pmbutton:false E:id:******* F:rembme:Y 10:pc:******* 11:state:CA
12:country:null
13:links:https://boaccn.fnfismd.com/bankofamerica/ccn/ccnlogin.asp
14:links:/deposits/checksave/index.cfm?template=check_acct_choices
15:links:https://www.bankofamerica.com/deposits/checkorder/
16:searchCustom__passThrough:true 18:country:USA
19:mapAndList:mapAndList 1E:searchCustom__locationType:BANKINGCENTERS
1F:searchCustom__locationType:ATM |
SearchSearch | |Enter Online ID:|Save this online
ID|Enter Passcode:|Account in: the following geographical location|Sign
In | Service My Mortgage Online Investing Future Scholar
Military Bank OnlineGo |Open an Account| Checking
Accounts Savings Accounts CDs Credit Cards Mortgages Home
EquityGo |Account Services| Reorder Checks Set up direct
deposit Request a Check Card Link accounts Change Address Change Phone
NumberGo | |Address: |City: |or |ZIP Code: |Banking
CentersATMs |Go|More Location Search Options
https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller
0:Access_ID:question 1:reason:reset_request_ca
3:reason:create_passcode_ca 5:reason:resetid_request_ca
7:Customer_Type:CA 8:INVALID_ID_COUNTER:1 9:portal:CA
A:server_check:false B:state:CA E:Cache:******* F:pmbutton:false
10:Access_ID:******* 11:rembme:Y 12:Current_Passcode:null
| | | |
|Enter Online ID:|(5 - 25 numbers and/or letters)|(5 - 25 numbers and/or
letters)| Save this online ID (How does this work?) |Enter Passcode:|(4
- 12 numbers and/or letters)|(4 - 12 numbers and/or letters)|Sign In
|Reset passcode |Forgot or need help with your ID?

This is pertinent to what Secure Science has seen in ‘03 and ‘04 with
Berbew log data (pslogs.txt).

The blind drop appears to be down but this malware was trying to POST
requests to www.vtb.ru/wcef.php

The dropped files appear to be packed with UPX, and are trivially
accessible.

Please let me know if there is anything else you guys want detailed on this.

-Lance James