This post was authored by Earl Carter.
Attackers are constantly looking for ways to monetize their malicious activity. In many instances this involves targeting user data and accounts. Talos continues to see phishing attacks targeting customers of multiple high profile financial institutions. In the past couple of months, we have observed phishing attacks against various financial customers including credit card companies, banks, credit unions, and insurance companies, as well as online businesses such as Paypal and Amazon. These phishing attacks have gone old-school in that they either attach an HTML document or include HTML data in the actual email to present the user with official looking pages that appear to be from the actual businesses being targeted.
Although many phishing attacks attempt to get the user to open attachments that are designed to load malicious software on the user's system, we have noticed that some attackers have stuck with the basics. Instead of trying to get a user to download or run malicious attachment, these current attackers are simply attaching an HTML document to their phishing emails or including the HTML instructions in the body of the email itself. The following shows the a sample of the realistic phishing attempts that these attackers can generate to trick users into revealing their sensitive information.
Click for Larger ImageThese phishing emails tend to fall into the following two categories:
Messages targeting the first category include the following:
Click for Larger ImageClick for Larger ImageThe second category is interesting in that it seems to take advantage of all of the security compromises being reported in the press. These phishing attempts make it appear that the company is upgrading its security to protect its customers better. A sample email targeting this technique is shown below:
Click for Larger ImageSome of the subject lines observed include the following:
Important Message.
Important Message
Recent Security Update
Unauthorized Access case [Random String]
Suspicious Account Activity Reference [Random String]
Confirm Your Identity
Recent suspicious activity on your online account
Final Notice: Unauthorized Activity on your online account
Your online access has been temporarily suspended
Fraud Protection Alert
Account Review
Account limited
Account Validation
Temporary Limitation
Activity Alert: Important For your Account .
Online-BOFA-Notification
Online-Notification
Monthly Account Online Security Update
Important : Your Recent Activities Requires Security Upgrade
Although these attackers are using a fairly simple approach to fool users, they are not shy about the massive amount of personal information they try to collect from their victims. Each phishing attempt is customized to the fields that each specific financial business uses and the customers are familiar with. To give you an idea of the breadth of information being phished, here is a some of the data that these phishing attacks are trying to get users to divulge:
Userid
Password
ATM PIN
Name
SSN
Mother's Maiden name
Phone Number
Address
Date of Birth
Place Of Birth
Verbal Phone Password
Email Address
Email Address Password
Security Questions and Answers
Credit Card#
Card Expiration Date
CVV2
Bank Account Number
Bank Routing Number
The attachments are named with either something related to the business name or something more generic. Some of the attachment file names included the following:
Confirm your identity.html
<Company Name>_Procedure_Index.html
BOFA-ONLINE-UPDATE#1024886.html
<Company Name>_Security_Alert_Form.html
VerificationRequired.html
Verify_Account.html
verifyform.html
Validation Form.html
Verification Form.html
Online_Security_Update.html
pp_verification.html
<Company Name>.html
<Company Name>_OnlineBanking.html
Validation form.html
<Company Name>-Security Protection Upgrade Form.html
<Company Name>Security Protection Upgrade And Verification Form.html
These HTML forms are even written to make sure that the user enters the correctly formatted information into fields such as the email address and makes sure that important fields like password or PIN are not left blank. Below shows the error checking that one phish did on the email address:
var email =3D document.getElementById('email');
var emailRegEx =3D /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i;
if(email.value.search(emailRegEx) =3D=3D -1){alert('Must enter your =
email address'); email.focus();return false; }
for=3D"defaultaddress1