In the last week criminals have made attacks on customers of many of the UK’s largest banks and brokerages, attempting to persuade them to reveal their account’s username, password, and other authenticating information, by sending a verification mail with a forged source address, and a url that appears to be associated with the recipients bank or brokerage.
Users of collaborative spam detection systems such as Vipul’s Razor, are quite well protected against these fradulent mail attacks, as early recipients of the message will report the message, and subsequent recipients will not even see the message in their normal mail routine.
However, the steadily increasing numbers of well heeled, but technically unsophisticated people making use of internet banking are greatly at risk to this type of attack. Although the mail below is aimed at Barclays customers, similar mails targeting the customers of National Westminster, the Halifax Bank and the brokerage T D Waterhouse have been reported during the past week, and every bank and brokerage can reasonably expect that their own customers will be targeted, as the potential of emptying out large numbers of people’s bank accounts is so attractive to criminals, and the fact that some banks have taken their sites offline may indicate that they are seeing a volume of suspicious withdrawls.
Note the “@” sign in the target url in the mail below, which means that the server is dodif4f.mail333.com, and that barclays.co.uk:ac=Plgu66G0byxP9N8fDxcC is a username known to that server. dodif4f.mail333.com currently resolves to a server hosted in Moscow.
Date: Sun, 26 Oct 2003 17:44:48 +0000 Subject: Barclays E-mail Verification: email@example.com To: Vlee firstname.lastname@example.org Reply-To: Verification email@example.com Sender: Verification firstname.lastname@example.org Dear Barclays Bank Member, This email was sent by the Barclays server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your Barclays Membership number, passcode and memorable word. This is done for your protection — because some of our members no longer have access to their email addresses and we must verify it. To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link (or if you use AOL), copy and paste the link into the address bar of your web browser.
Thank you for using Barclays!
This automatic email sent to: email@example.com Do not reply to this email.
The hosting location of sites involved in financial scams varies considerably. It it is quite common to find carding and phishing sites hosted in the former Iron curtain countries. However, it is also common for fraudsters to rent dedicated servers at well known US hosting locations using stolen credit cards, run ascam until the server is detected and shut down, and then start again with a new dedicated server in another location. Recently, Brian McWilliams described a scenario whereby very large numbers of Windows machines are used as a black economy caching system for criminal sites, to mask the destination of the ultimate server.
Dedicated server companies are usually prompt in taking servers offline as soon as a report of this type is received, but connectivity providers either seem less willing to deny routing to hosting locations hosting fraud operations, or perhaps receive less information about the problems. Telia, the leading Swedish telco is still providing routing for the Russian hosting location of the fraudulent site over a week after the attack started.
% traceroute dodif4f.mail333.com traceroute to hosting.mail333.com (22.214.171.124), 64 hops max, 44 byte packets 1 treenwood (126.96.36.199) 2.105 ms 3.277 ms 3.133 ms 2 a4-1-0.287.ac-4.msl.as5388.net (188.8.131.52) 3 ge1-0.5.pbr-1.msl.as5388.net (184.108.40.206) 4 220.127.116.11 (18.104.22.168) 5 London-i2.telia.net (22.214.171.124) 6 ldn-bb2-pos5-2-0.telia.net (126.96.36.199) 7 kbn-bb2-pos3-1-0.telia.net (188.8.131.52) 8 s-bb2-pos7-0-0.telia.net (184.108.40.206) 9 s-b3-pos4-0.telia.net (220.127.116.11) 10 mtu-intel2-100352-s-b3.c.telia.net (18.104.22.168) 11 M9-FeX.core.mtu.ru (22.214.171.124) 12 Rbk-m9-MTUInform-GW.mtu.ru (126.96.36.199)
Through the content Netcraft retrieves during the Web Server Survey, Netcraft can alert banks to domain names or page content that may form part of attempts to deceive, and through our application testing services, can audit banks own web applications for design errors and erroneous functionality.