Pierluigi Paganini
August 03, 2014
Phishing is a very prolific business for cybercrime, bad actors are adopting even more sophisticated techniques like the one discovered recently which hit French-speaking computer users, in an attempt to steal their online banking credentials.
The discovery was made by experts at Malcovery Security, this new attack scheme is not a classic direct phishing, which is based on malicious emails which contain links or attacked malware used to deceive victims, instead, the emails purport to be from an entity that isn’t the targeted bank and informs victims that due a billing mistake they have to be refunded to their account.
The fraudsters refer limited quantity of money, as much as €95 or $127, and request victims to provide information on their bank account that will receive the transfer of refunded sums.
A this point victims are redirected to a page where is asking them to provide the above information, the cyber criminals implemented a mechanism to verify the credentials to the third party before allowing the victim to proceed.
Gary Warner from Malcovery Security explained that the third party entity used in this sophisticated phishing attack is SFR, a French telecommunications company that provides phone services (mobile and landline), along with Internet and IP TV products.
“While there are several versions of the SFR phish, the most sophisticated that we have encountered so far can be seen on a British horse enthusiasts website (obviously hacked). What makes this one particularly compelling is that it begins by requiring the victim to be using their true SFR userid and password. On the originating screen, the user is told to “Connectez-vous” by entering his userid (Identifiant) and password (Mot de passe).” is reported in the blog post.
The attack scheme is not new, its improvement is related to the SFR login verification process that is being performed.
According to the researcher the Malcovery’s PhishIQ service has detected more than 1,000 SFR phish on more than 330 hacked servers so far this year, which demonstrate that the technique is largely used by fraudsters.
The SFR provided by the victims are passed to the legitimate SFR to verify if they are valid, in case of incorrect credentials a message is returned to the victims which are allowed no more of 5 attempts before their account would be blocked.
This is pure social engineering to trick users into believe that the company which want to provide the refund is legitimate such as the entire process.
When victims provide valid credentials it is requested them to select from a list of French banks which is their financial institutions, depending on the chosen bank the attackers request the appropriate additional verification information used by the specific bank.
“Depending on which bank they choose, they will be prompted for appropriate additional verification details used by that bank,” states the post.
With this scheme the cyber criminals are collecting all the data required to access the bank account, as explained by the research this is one of the most complex schema seen since now because it involves different technologies and tricks.
“one of the most sophisticated phish we’ve seen to date, employing ‘man-in-the-middle’ logins where SFR credentials are tested before the victim is allowed to proceed, and nearly a dozen customized bank security procedure questions being processed.” Warner said.
Security Affairs – (Phishing, cybercrime)
