Tuesday, July 29, 2014

SFR phish: the Gateway to all French banks

Back in April, we wrote about the French power company, EDF, being used as a universal phishing target in our article, Multi-Brand French Phisher uses EDF Group for ID Theft. Since that time we are seeing that those targeting French speaking victims are choosing yet another large utility to serve as proxy for all of the French banking world. This time the phishing lures are for SFR.

This phish has been especially popular this year. Malcovery's PhishIQ service has seen more than 1,000 SFR phish on more than 330 hacked servers so far this year, including dozens just in the month of July 2014. More importantly though, the attackers are growing more sophisticated! The attack described below is one of the most sophisticated phish we've seen to date, employing "man-in-the-middle" logins where SFR credentials are tested before the victim is allowed to proceed, and nearly a dozen customized bank security procedure questions being processed.

In a typical example of these phish, the victim receives an email that appears to be from SFR informing them that an error was made in their bill, "Ce mail vous a été envoyé dans le but de vous informer qu une erreur est survenue lors de l établissement de la dernière facture" and to "Cliquer ici pour ouvrir le formulaire de remboursement" (Click here to open the refund form). The victim is also warned that they need to fill out the form completely, or they won't get their refund (in some cases 95 Euros!):

Veuillez accepter nos excuses par cette erreur comptable. SFR : Service comptabilité de SFR Toute omission, mauvaise saisie, ou non réponse a ce mail entrainera automatiquement une amputation de la somme de quatre-vingt-quinze (95) euros sur votre compte, et aucune réclamation de sera acceptée.

While there are several versions of the SFR phish, the most sophisticated that we have encountered so far can be seen on a British horse enthusiasts website (obviously hacked). What makes this one particularly compelling is that it begins by requiring the victim to be using their true SFR userid and password. On the originating screen, the user is told to "Connectez-vous" by entering his userid (Identifiant) and password (Mot de passe).

The Action of this form of the phishing site actually passes the userid and password to SFR and confirms whether or not a true identifier has been used. If false information is provided, the phishing victim receives a message back informing him that

Vos coordonnées n'ont polo été reconnues. -- Your details have not been recognized.
Veuillez recommencer. -- Please try again.
Suite à 5 erreurs sur votre mot de passe, -- After 5 errors on your password
votre compte est bloqué. -- Your account will be blocked.

So, with a little incentive to not lie to the criminal, and a fairly strong reason to believe they are really speaking with SFR, the victim continues to page two after providing true login credentials.

On the second page, the victim is invited to choose their bank from a long list of French banks. Depending on which bank they choose, they will be prompted for appropriate additional verification details used by that bank. Banks on the list include:

  • AXA Banque
  • Banque AGF / Allianz
  • Banque de Savoie
  • Banque Dupuy de Parseval
  • Banque Marze
  • Banque Palatine
  • Banque Populaire
  • Banque Postale
  • Barclays
  • BforBank
  • Binck.fr
  • BNP
  • BNP Paribas La NET Agence
  • Boursorama Banque
  • BPE
  • Caisse d'Epargne
  • CIC
  • Coopabanque
  • Crédit Agricole
  • Crédit Cooperatif
  • Crédit du Nord
  • Crédit Mutuel
  • Crédit Mutuel de Bretagne
  • Crédit Mutuel Massif Central
  • Crédit Mutuel Sud-Ouest
  • e.LCL
  • Fortis Banque
  • Fortuneo Banque
  • Groupama Banque
  • HSBC
  • ING Direct
  • LCL
  • Monabanq
  • Societe Generale
  • Société Marseillaisle de Crédit
  • Autre Banque
Here are some examples: (Click on any image to enlarge)

Some banks require the visitor to enter their 3DSecure code

AXA Banque has a custom code for their clients

Banque Postale has security questions, such as:
  • Quel est le prénom de l'aîné(e) de vos cousins et cousines ?
  • Quel était le prénom de votre meilleur(e) ami(e) d'enfance ?
  • Quel était votre dessin animé préféré ?
  • Quel a été votre lieu de vacances préféré durant votre enfance ?

Caisse d'Epargne also provides a personalized Client code.

Even the "Cyberplus" electronic password generators used by Banque Populaire are included in this phish!

Some banks also require information about the victim's birthplace

After successfully acquiring both your SFR.com userid and password, and the necessary information to take over the bank account of the phishing victim, the criminal sends you on your way, after congratulating you on your success!
(The update was successful. SFR thanks you for using its Bank Assurance services. You can continue browsing the site with full security.)

After seeing this message briefly, the visitor is forwarded to the true www.SFR.fr website.

Tuesday, July 15, 2014

.pif files, Polish spam from Orange, and Tiny Banker (Tinba)

Tonight I was looking at my Twitter feed and saw @SCMagazine talking about ZBerp. It was actually a tweet back to a story from July 11th where Danielle Walker wrote ZBerp Evolves: Spreads through Phishing Campaign which was actually quoting the July 7th story from WebSense Labs, where Elad Sharf wrote Zeus PIF: The Evolving Strain Looking to Defeat Your Security Software. I thought that sounded interesting, so I went over to the Malcovery Security systems to see what the malware team had done with .PIF files recently.

.PIF files are like those organs we are said to have for some reason that are not necessary in these modern times. If you still remember the pain of migrating from DOS 5.0 to Windows 3.0, you will remember that we had .PIF files because DOS binaries did not have all the niceties of Windows programs, such as embedded icons and a place to store the default start-up path. Back when Ugg the Caveman was discovering fire and Bill Gates was leading a development team, you could make your DOS Executables APPEAR to be Windows files by sticking a .PIF file of the same name in the same directory. Windows knew that it should associate the .PIF file with the .EXE or .COM file of the same name, and suddenly we had icons! Of course the malware authors have done some sneaky things with this in the past. When Sality was a young pup, browsing a directory that contained the ".pif" format of Sality was enough to get Windows to execute the malware -- because "Active Desktop" knew that if it saw a .PIF file, it should load it so it would know what graphical icon to associate with which programs in the directory listing. Unfortunately, that was all Sality needed to launch itself! So many people were victimized thinking that the AUTORUN=OFF on their thumb drive had failed without realizing it was just what .PIF files did back then.

So, this morning in the Malcovery Spam Data Mine we saw 1,440 copies of a spam message claiming to be from "orange.pl" with the subject "MMS-ie" and a 70,390 byte .zip file with a randomly numbered IMG#####.zip filename. The .ZIP file contained a 126,976 byte .PIF file that was named "IMG875002763.JPEG.pif" and had an MD5 hash of d382068a8666914584d0ae51dd162c6b. When I just checked the file a few minutes ago on VirusTotal, thinking I would see various Zeus-related malware names based on the SCMag / WebSense articles, I was surprised to see that the file was actually TinBa or "Tiny Banker"!

Late last week I was one of the many folks trying to get a friend to get me a copy of the Tinba source code that had been leaked, as Peter Kruse over at CSIS told us on July 10, 2014 (See Tinba/Hunterz source code published. Peter shared a talk The Hunterz Inside Tinba at the recent Cyber Threat Summit, and, with Trend Micro's Robert McArdle and Feike Hacquebord, released a paper called "W32.Tinba, The Turkish Incident" (a 24-page PDF that gives great insights into the malware family).

Tinba: The Polish Incident

If the earlier paper was called "The Turkish Incident", perhaps the current version should be called "The Polish Incident". Here is the email that was distributed so prolifically this morning:

Jeżeli Twój telefon nie obsługuje wiadomości multimedialnych, możesz je wysyłać i odbierać korzystając ze Skrzynki MMS lub Albumu MMS. Wystarczy, że zalogujesz się na www.orange.pl. O każdym otrzymanym na skrzynkę MMS-ie powiadomimy Cię E-mail.

Jeśli odbiorca wiadomości nie ma telefonu z obsługą MMS będzie mógł ją odebrać logując się w portalu www.orange.pl, a następnie wybierając Multi Box i zakładkę MMS. Wiadomości multimedialne możesz też wysyłać na dowolny adres e-mail.

In case you aren't as fluent in Polish as the rest of us, here is how Google Translate renders that:

If your phone does not support multimedia messages, you can send and receive using the Crates MMS or MMS Album. Simply log on www.orange.pl. For each received in an MMS message box will send you e-mail. If the recipient of the message does not have MMS-capable phone will be able to pick it up by logging into the portal www.orange.pl, and then select Multi Box and MMS tab. Multimedia messages can also be sent to any e-mail.
The spam from Monday, July 14th, was Tinba spam according to VirusTotal. Late this evening (about 18 hours after the spam campaign) VirusTotal reported a (25 of 53) detection rate.

The spam from July 11th was also in Polish, and also imitated Orange, although this time the sender was Orange.com. There was a .zip file attached, which contained a file named "DKT_Faktura_indywidualna_2014_07_11_R.pdf.pif" which was 102,400 bytes in size and had an MD5 hash of da9330aa6d275ba28954b88ecf27dedb. The .zip file was 70,323 bytes with MD5 hash of fc1e0a665f99b347e424281a8a6a2526. The spam from July 11th was also Tinba spam, according to many vendors at VirusTotal. But the email body was much simpler. The message, still in Polish, was:


Przesyłamy fakturę Telekomunikacji Polskiej w wersji elektronicznej za czerwiec 2014.


We send an invoice Polish Telecom in the electronic version for June 2014.

But of course it was more malware, disquised as an invoice but actually a .pif file.

The current detection at VirusTotal for that campaign is 33 of 53 detections.

Unlike the Turkish Incident, where Tinba was being dropped by the Blackhole Exploit Kit, in the current spam, Tinba is directly attached to the email message.

Sunday, July 13, 2014

Urgent Court Notice from GreenWinick Lawyers delivers malware

I spent some time yesterday in the Malcovery Security Spam Data Mine looking at the E-Z Pass malware campaign. The ASProx spammers behind that campaign have moved on to Court Notice again . . .

Subjects like these:

  • Hearing of your case in Court No#
  • Notice of appearance
  • Notice of appearance in court No#
  • Notice to Appear
  • Notice to Appear in Court
  • Notice to appear in court No#
  • Urgent court notice
  • Urgent court Notice No#
(All of the subjects that have "No#" are followed by a four digit integer.)

(click to enlarge)

As normal, the spammers for these "Court Appearance" spam campaigns have just grabbed an innocent law firm to imitate. No indication of any real problem at Green Winick, but I sure wish one or more of these abused law firms would step up and file a "John Doe" lawsuit against these spammers so we could get some civil discovery going on!

These are the same criminals who have Previously imitated other law firms including Jones Day (jonesday.com), Latham Watkins (lw.com), Hogan Lovells (hoganlovells.com), McDermitt, Will & Emery (wme.com), and many more! Come on! Let's go get these spammers and the malware authors that pay them!

We've seen 88 destination hosts between July 10th and this morning (list below) but it is likely there are many more!

When malware spammers use malicious links in their email instead of attachments, they tend to have a much better success rate if they deliver unique URLs for every recipient. That is what is happening in this case, and what always happens in these ASProx / Kuluoz spam campaigns. An encoded pseudo-directory is used in the path portion of the URL, which is combined with rotating through hundreds of 'pre-compromised' websites to host their malicious content.

Four patterns in the path portion of the URL are better indicators as we believe there will be MANY more destination hosts.

  • tmp/api/…STUFF…=/notice
  • components/api/…STUFF…=/notice
  • wp-content/api/…STUFF…=/notice
  • capitulo/components/api/…STUFF...=/notice
where "...STUFF..." is an encoding that we believe is related to the original recipient's email address, but have been unable to confirm at this time.

http:// arhiconigroup.com / wp-content / api / pwCYg4Ac5gk0WlQIVFEkRSPGL2E7vZhP8Qh4LMGbbAk= /notice

(to protect the spam donor, the pwCYg... string above has been slightly altered. If you want to work on de-coding, let me know and I'm happy to provide a couple hundred non-altered strings.)

Just like with last week's E-Z Pass spam campaign, visiting the destination website results in a uniquely geo-coded drop .zip file that contains a .exe file.

As an example, when downloading from my home in Birmingham Alabama where my zip code is 35242, the copy I received was named:


which contained

Notice_Birmingham_35242.exe, which is icon'ed in such a way that it appears to be a Microsoft Word document.

The MD5 of my '.exe' was: 5c255479cb9283fea75284c68afeb7d4

The VirusTotal report for my .exe is here:

VirusTotal Report (7 of 53 detects)

Extra credit points to Kaspersky and Norman for useful and accurate naming !

Kaspersky = Net-Worm.Win32.Aspxor.bpyb
Norman = Kuluoz.EP

Each of the 88 destination websites that we observed was likely compromised to host the malware. We do not believe these are necessarily "Bad Websites" but they either have a vulnerability or have had the webmaster credentials stolen by criminals.

If these are YOUR website - look for one of those directories I mentioned ...