Linkless Italian phishers quote Shakespeare in an attempt to defeat security products

Filed Under: Featured, Spam

Postepay cardMillions of Italian people carry Postepay cards.

The pre-paid rechargeable cards, distributed by Poste Italiane, are frequently used to make internet purchases.

And that's why Italian computer users should be on their guard against a criminal email campaign that has been spammed out, designed to steal usernames and passwords that would give hackers access to Postepay users' accounts.

At first glance, recipients may think the email looks harmless enough. The sender's address leads people to believe it is a notification from Postepay, and the subject line says that it is the final notification to activate a new service.

Italian phishing email

From: "Servizi Informativi" <PostePay@Poste.it>
Subject: Ultima notifica da noi, attivare il nuovo sistema
Attached file: Cliente.html

The lack of a link in the email may even trick some recipients into believing that the email can't possibly be a phishing attack, and lead them to blindly open the attachment.

If they make that mistake they *will* find that their web browser opens the genuine Poste Italiane website - but through an iFrame injection in the attached file, a pop-up is also displayed (located on a UK pet supply website) posing as a credible-looking request for a username and password:

Phishing

It's all too easy to imagine that many people who saw such a login screen would be duped into believing that it was genuine, and enter their login credentials without thinking twice.

Hamlet, with skull. Image from ShutterstockShakespeare-loving spammers?

What makes this attack a little more interesting is how the spammers behind it have chosen the famous "To Be Or Not To Be" soliloquy from Shakespeare's Hamlet as a "hash buster".

Hash busters are random sections of text or sequences of characters which can be added to a file in order to change the ultimate file's checksum.

In the examples seen by SophosLabs, the HTML file has been adapted to incorporate what is probably one of the world's most famous speeches - but sadly for anyone hoping to enjoy the great Bard's use of iambic pentameter the attackers use a CSS trick to ensure it does not get displayed:

<p style="display: none">
To be, or not to be: that is the question:
Whether 'tis nobler in the mind to suffer The slings and arrows of outrageous fortune, Or to take arms against a sea of troubles, And by opposing end them? To die: to sleep; No more; and by a sleep to say we end The heart-ache and the thousand natural shocks That flesh is heir to, 'tis a consummation Devoutly to be wish'd. To die, to sleep; To sleep: perchance to dream: ay, there's the rub; For in that sleep of death what dreams may come When we have shuffled off this mortal coil, Must give us pause: there's the respect That makes calamity of so long life; For who would bear the whips and scorns of time, The oppressor's wrong, the proud man's contumely, The pangs of despised love, the law's delay, The insolence of office and the spurns That patient merit of the unworthy takes, When he himself might his quietus make With a bare bodkin? who would fardels bear, To grunt and sweat under a weary life, But that the dread of something after death, The undiscover'd country from whose bourn No traveller returns, puzzles the will And makes us rather bear those ills we have Than fly to others that we know not of?
Thus conscience does make cowards of us all; And thus the native hue of resolution Is sicklied o'er with the pale cast of thought, And enterprises of great pith and moment With this regard their currents turn awry, And lose the name of action. - Soft you now!
The fair Ophelia! Nymph, in thy orisons
Be all my sins remember'd.
</p>

Sorry cybercriminals - that isn't enough to defeat sophisticated security products. Sophos products block the HTML file attached to the email as Troj/Ifrin-A (If you're curious, the name comes from "iFrame injection").

Attacks like this are, once again, reminders for all of us to be careful about what email attachments we open on our computers - even if the email appears to come from an organisation that you regularly do business with.

Thanks to SophosLabs researcher Andrew O'Donnell for his assistance with this article.

Image of Hamlet and skull courtesy of Shutterstock.

, , , , ,

You might like

2 Responses to Linkless Italian phishers quote Shakespeare in an attempt to defeat security products

  1. Nigel · 506 days ago

    Forsooth, I would fain NOT beclick such wretched fardels, and heap contumelies upon the phishulous knaves who bear such ills.

  2. Lorenzo · 503 days ago

    Simple phising, but funny.
    Btw "Ultima notifica da noi" isn't completely correct in Italian. Sounds like a translation made with google translate.
    Greetings from an Italian lurker! :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.