Anatomy of a phish - how to spot a Man-in-the-Middle attack, and other security tips

Filed Under: Featured, Phishing

Even if you are used to phishing scams, it still pays to take the occasional look at a scam campaign, just to remind yourself not to let your guard down.

So here's a recent scam in which the crooks are targeting customers of Absa, one of the Big Four banks in South Africa.

The email used in the scam pretends to be a refund from the South African Revenue Service (SARS):

The South African tax year ended on 28 February, so the timing is right, and with the Revenue Service's eFiling system available this year even from mobile phones, more South Africans than ever will be expecting to deal with the tax office electronically.

Of course, even if you are an ABSA customer and expecting a tax refund, you should still be suspicious, not least because your bank won't send you login links via email.

Banks avoid sending you links to their secure banking sites precisely so they can tell you, "Never click on emailed login links, because they won't be from us."

There are other tell-tale scam signs here, too, if you are alert to orthographic (writing and spelling) clues, such as these:

  • The Revenue's online service is called eFiling, not EFilling.
  • Dates in South Africa are written with the month in the middle, where it jolly well belongs, so 18 April 2013 is 18/04/2013, not 04/18/2013.

Note that you shouldn't rely on spotting phishing emails and websites only by looking out for errors of this sort, because there is nothing to stop the crooks being careful.

But if you spot something that obviously doesn't look right, assume the worst.

If you do click the link without thinking, you won't go to Absa's website, but instead to a hacked website in Korea.

The server itself isn't owned by the criminals - it's just being "borrowed" to provide free IT services for this phish.

The Korean site doesn't actually host the fake banking pages, but instead simply bounces you, using an HTTP redirect, to a hacked site in the Netherlands, where the fraudulent login process begins.

The visual appearance of the fake pages is professional, largely because the criminals have ripped off Absa's own HTML and JavaScript code to reproduce the look and feel of the real thing, right down to the virtual keyboard asking for your PIN:

Then you are asked to enter your password:

Note that Absa's login system usually only asks you for a randomly-selected subset of the characters in your password, as a precaution to stop a crook from learning your entire password from a single login attempt.

This doesn't improve security enormously, but it does make things harder for a cybercriminal or a shoulder-surfer, and it is a designed-in part of Absa's login process.

So, take the trouble to familiarise yourself with what your bank advises you to look out for.

In this case, the phishers are greedily asking for your entire password in one shot, presumably so they know all the possible characters for next time; this should be a tell-tale sign that something is wrong.

The next screen asks you to put in the Random Verification Number (RVN) code that Absa sends to your mobile phone as a one-time password:

This should ring alarm bells even more loudly.

Absa specifically documents that the RVN is used only in special cases involving more than simply looking at your balance, which is what the original email was inviting you to do:

When creating a new beneficiary, changing transfer limits, or other kinds of sensitive transactions, a special one-time password, called a Random Verification Number (RVN), will be sent to your cellphone. You must type this into the indicated field for verification. Just before the payment is made, another one-time password will be sent to your cellphone, called a Transaction Verification Number (TVN) to confirm the transaction. These passwords can only be used once, and dramatically decrease the risk of being defrauded.

The only plausible reason you'd be asked for an RVN code when you thought you were just checking your balance is that you aren't talking to the bank's real site, but to an imposter site that is attempting a Man-in-the-Middle (MiTM) attack.

The idea is that you perform what you think is an innocent transaction with the bank, while the Man-in-the-Middle commences a simultaneous sensitive transaction with the real banking site - such as telling the bank that you just agreed to pay out money to him.

When the bank asks the Man-in-the-Middle a question he can't answer, he asks you. And what you tell him, he tells to the bank as if he knew it all along.

You think you're talking to the bank and asking it to do X, but you're really talking to the MiTM, who uses the security information innocently submitted by you to ask the bank to do Y.

This is why it is vital to keep checking, throughout any online banking session, that you are on the bank's real site.

If you're an Absa customer, for example, you need to know that Absa's internet banking site is called, and that it uses HTTPS, or secure HTTP.

Don't look in the web page itself for "proof" that the site is secure, because the crooks try to fill their fake pages with security reassurances.

In this phish, for example, the first page in the fraudulent login sequence advises you to watch out for phishing scams, and even correctly advises you never to login from links sent via email:

Always look in the address bar (which can't be directly modified by a web page, only by the browser itself) for the tell-tale HTTPS padlock.

In most modern browsers, you can also click on the padlock in the address bar to double-check who owns the secure website:

The identification information in an HTTPS transaction isn't infallible - it's a bit like the certification stamp on a certified copy - but if it is wrong or missing, then you can be certain you are being tricked.

Finally, you're asked for the Transaction Verification Number (TVN):

With your PIN, password and a TVN, the crooks could, at least in theory, pay out money, but only to someone who is already setup up as a beneficiary on your account (a person you pay money to).

So they might be able to pay your electricity bill, or send a gift to your mother.

But with a one-time RVN as well, the crooks could, at least in theory, add themselves as a beneficiary first, and then use the TVN to send themselves some of your money.

So always be on your guard.

In this phish, any one of these signs should have been enough to put you off, even if you were an Absa customer awaiting a taxation refund:

  • Orthographic (writing and spelling) errors in email.
  • Clickable link to login page in email.
  • Wrong link, going to a site in Korea.
  • Link redirects to wrong location, going to a site in the Netherlands.
  • Login site not correct for Absa.
  • Login site not encrypted with HTTPS.
  • Non-standard procedure for password entry.
  • Inappropriate request for Random Verification Number (RVN).

If you detect the smell of phish at any point in the process, pull the plug.

The longer you stay "on the hook," the more security information the crooks will end up getting out of you.

, , , , ,

You might like

9 Responses to Anatomy of a phish - how to spot a Man-in-the-Middle attack, and other security tips

  1. Doug · 897 days ago

    Thank you for a well written and detailed article with loads of good advice. Would you consider adding the general advice that unless you specifically interacted with a web site and are expecting an e-mail in response (which will typically arrive immediately), you should never click on a link in an e-mail?

    Assuming the links are malicious rather than trying to detect whether it is a phishing attempt is far better than asking users (especially non-web-savvy ones) to look for warning signs.

    Thanks again, Paul.

  2. WSG · 896 days ago

    One of the telltale signs of a fishing email that I have to browbeat into my clients is that no genuine email will use a generic greeting, such as "Dear customer". If it's not addressed to you in the body of the email using your name, not just your email address (which I see on a daily basis), then you should treat it as suspicious.

    Granted, being properly addressed is no guarantee that the email is legitimate, but the lack of correct personalization is a pretty good indicator that the email is a fake.


    • John · 895 days ago

      'Dear customer' is such a give-away that it should be top of the list. (It's also easier to spot than a non-HTTPS encrypted site for non-technical people to spot.)

    • Paul Ducklin · 895 days ago

      The "Phishing Fraud" warning graphic with the yellow triangle - the one that was ripped by the crooks from Absa's own site - actually mentions that fact, after the "we'll never ask you to click on a link" bullet point show above.

      There wasn't room to include the entire warning graphic :-)

  3. 4caster · 894 days ago

    You write: 'Banks avoid sending you links to their secure banking sites precisely so they can tell you, "Never click on emailed login links, because they won't be from us."'
    But that is not my experience. In the last few days I've received genuine emails from Capital One, Hargreaves Lansdown, American Express, Halifax Share Dealing, Alliance Trust Savings and Nationwide Building Society, all providing links to their online log-in pages. They all quoted my surname, which is a common one that can be deduced from my email address, but apart from this only Nationwide attempted to personalise its email, by showing my postcode.

  4. Nigel · 894 days ago

    Thanks for a superb and eminently useful article!

  5. Phising_idiot · 893 days ago

    Nicely written. Thanks!

  6. md_pepa · 892 days ago

    Unsure if this is in-scope but, could you add advice as to what to do if you do receive these items, or if you have just fallen prey; maybe with some SEO keywords to ensure the message gets out

  7. emeraldogzz · 695 days ago

    Thanks for this article but I am very concerned with MITM that occur with the current updated e-banking mechanisms employed by banks. I mean with the token based authentication. Has there been any thing related to MITM, MITC or MITB recently in this regard?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog