Anatomy of a phish – how to spot a Man-in-the-Middle attack, and other security tips

Even if you are used to phishing scams, it still pays to take the occasional look at a scam campaign, just to remind yourself not to let your guard down.

So here’s a recent scam in which the crooks are targeting customers of Absa, one of the Big Four banks in South Africa.

The email used in the scam pretends to be a refund from the South African Revenue Service (SARS):

The South African tax year ended on 28 February, so the timing is right, and with the Revenue Service’s eFiling system available this year even from mobile phones, more South Africans than ever will be expecting to deal with the tax office electronically.

Of course, even if you are an ABSA customer and expecting a tax refund, you should still be suspicious, not least because your bank won’t send you login links via email.

Banks avoid sending you links to their secure banking sites precisely so they can tell you, “Never click on emailed login links, because they won’t be from us.”

There are other tell-tale scam signs here, too, if you are alert to orthographic (writing and spelling) clues, such as these:

  • The Revenue’s online service is called eFiling, not EFilling.
  • Dates in South Africa are written with the month in the middle, where it jolly well belongs, so 18 April 2013 is 18/04/2013, not 04/18/2013.

Note that you shouldn’t rely on spotting phishing emails and websites only by looking out for errors of this sort, because there is nothing to stop the crooks being careful.

But if you spot something that obviously doesn’t look right, assume the worst.

If you do click the link without thinking, you won’t go to Absa’s website, but instead to a hacked website in Korea.

The server itself isn’t owned by the criminals – it’s just being “borrowed” to provide free IT services for this phish.

The Korean site doesn’t actually host the fake banking pages, but instead simply bounces you, using an HTTP redirect, to a hacked site in the Netherlands, where the fraudulent login process begins.

The visual appearance of the fake pages is professional, largely because the criminals have ripped off Absa’s own HTML and JavaScript code to reproduce the look and feel of the real thing, right down to the virtual keyboard asking for your PIN:

Then you are asked to enter your password:

Note that Absa’s login system usually only asks you for a randomly-selected subset of the characters in your password, as a precaution to stop a crook from learning your entire password from a single login attempt.

This doesn’t improve security enormously, but it does make things harder for a cybercriminal or a shoulder-surfer, and it is a designed-in part of Absa’s login process.

So, take the trouble to familiarise yourself with what your bank advises you to look out for.

In this case, the phishers are greedily asking for your entire password in one shot, presumably so they know all the possible characters for next time; this should be a tell-tale sign that something is wrong.

The next screen asks you to put in the Random Verification Number (RVN) code that Absa sends to your mobile phone as a one-time password:

This should ring alarm bells even more loudly.

Absa specifically documents that the RVN is used only in special cases involving more than simply looking at your balance, which is what the original email was inviting you to do:

When creating a new beneficiary, changing transfer limits, or other kinds of sensitive transactions, a special one-time password, called a Random Verification Number (RVN), will be sent to your cellphone. You must type this into the indicated field for verification. Just before the payment is made, another one-time password will be sent to your cellphone, called a Transaction Verification Number (TVN) to confirm the transaction. These passwords can only be used once, and dramatically decrease the risk of being defrauded.

The only plausible reason you’d be asked for an RVN code when you thought you were just checking your balance is that you aren’t talking to the bank’s real site, but to an imposter site that is attempting a Man-in-the-Middle (MiTM) attack.

The idea is that you perform what you think is an innocent transaction with the bank, while the Man-in-the-Middle commences a simultaneous sensitive transaction with the real banking site – such as telling the bank that you just agreed to pay out money to him.

When the bank asks the Man-in-the-Middle a question he can’t answer, he asks you. And what you tell him, he tells to the bank as if he knew it all along.

You think you’re talking to the bank and asking it to do X, but you’re really talking to the MiTM, who uses the security information innocently submitted by you to ask the bank to do Y.

This is why it is vital to keep checking, throughout any online banking session, that you are on the bank’s real site.

If you’re an Absa customer, for example, you need to know that Absa’s internet banking site is called https://ib.absa.co.za/, and that it uses HTTPS, or secure HTTP.

Don’t look in the web page itself for “proof” that the site is secure, because the crooks try to fill their fake pages with security reassurances.

In this phish, for example, the first page in the fraudulent login sequence advises you to watch out for phishing scams, and even correctly advises you never to login from links sent via email:

Always look in the address bar (which can’t be directly modified by a web page, only by the browser itself) for the tell-tale HTTPS padlock.

In most modern browsers, you can also click on the padlock in the address bar to double-check who owns the secure website:

The identification information in an HTTPS transaction isn’t infallible – it’s a bit like the certification stamp on a certified copy – but if it is wrong or missing, then you can be certain you are being tricked.

Finally, you’re asked for the Transaction Verification Number (TVN):

With your PIN, password and a TVN, the crooks could, at least in theory, pay out money, but only to someone who is already setup up as a beneficiary on your account (a person you pay money to).

So they might be able to pay your electricity bill, or send a gift to your mother.

But with a one-time RVN as well, the crooks could, at least in theory, add themselves as a beneficiary first, and then use the TVN to send themselves some of your money.

So always be on your guard.

In this phish, any one of these signs should have been enough to put you off, even if you were an Absa customer awaiting a taxation refund:

  • Orthographic (writing and spelling) errors in email.
  • Clickable link to login page in email.
  • Wrong link, going to a site in Korea.
  • Link redirects to wrong location, going to a site in the Netherlands.
  • Login site not correct for Absa.
  • Login site not encrypted with HTTPS.
  • Non-standard procedure for password entry.
  • Inappropriate request for Random Verification Number (RVN).

If you detect the smell of phish at any point in the process, pull the plug.

The longer you stay “on the hook,” the more security information the crooks will end up getting out of you.