Friday, April 11, 2014

Phishers, Framesets, and Grocery Surveys

Like most criminals, or let's face it, most programmers, Phishers are lazy. They like to be able to create one website and have it live for an extended period of time. Unfortunately for them, victim companies either smash new phishing sites as fast as they can, or they hire companies to do it for them. At Malcovery Security we concentrate on INTELLIGENCE rather than takedown, so our focus is in understanding what the sites can teach us about the criminal behind the attack, and how the many attacks against your brand are related to each other and to attacks against other brands.

A friend of ours shared a link to a website today that was imitating Centra, a convenience and grocery chain throughout Ireland.

The accompanying spam message promises that they will pay us 150 Euros just for taking their survey!

For the convenience of the consumer, rather than having to wait for a check (cheque) in the mail, you can just enter all of your Credit Card information, and your Date of Birth and some other personal details, and they'll deposit the money right into your credit account!

As we looked at the log files, we found an interesting fact. NONE of the more than 900 visitors to the website had visited the site DIRECTLY. They were all being referred from other URLs. This is our indicator that the spam messages did NOT contain a link to the domain shown above. Instead, they were pointing at websites with Chinese domain names!

...
[10/Apr/2014:01:06:08 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:07:46 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:07:52 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:08:28 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:08:51 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:14 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:24 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:28 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:42 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:45 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:09:55 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:10:27 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html
[10/Apr/2014:01:10:31 GET /Centra/centra/ http://asp.sti.com.cn/Bonibon/HausSurvey.html

...

[11/Apr/2014:00:46:22 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:00:58:02 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:06:46 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:16:22 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:18:38 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:18:48 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:23:23 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:25:27 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
[11/Apr/2014:01:25:49 GET /Centra/centra/ http://www.jctz.cn/Bonibon/HausSurvey.html
...

When we look at the websites on "asp.sti.com.cn" and "www.jctz.cn" we see that both of them actually consist ONLY of a "FrameSet" that sends us to the location of the CENTRA phish:

The logs ALSO reveal that another brand is being hosted on the same server!

...
[10/Apr/2014:05:19:16 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:20:03 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:20:09 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:28:47 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:30:31 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:37:56 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:48:45 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:50:27 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:53:44 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html
[10/Apr/2014:05:57:39 GET /texc/ http://mnks.1039.cn/Bonibon/HausSurvey.html

Since most of the time when I'm in the UK I am running dawn to dusk in meetings, Tesco is the only store I've actually ever shopped in, since there is one on every street corner in London. The phishers have correctly updated their currency to use Pounds instead of Euros: "TESCO Supermarkets will add £150 credit to your account just for taking part in our quick survey." but other than that, this is the same phish!

And, as with the other, the actual advertised URL from the spam campaign is hosted in China, and simply updates the content with a Frame SRC = .

Remnants in the logs make it seem likely that this phisher has also targeted Woolworths (many 404 messages in the very early part of the phish for paths with /wps/woolworths/ in the path. Very likely that this is a throw-back to the Woolworths phish from 2012. (Woolworths is a food chain in Australia - they got so many of these scams that they did television news announcements warning about it - see for example: Scam Alert (a Current Affair November 2012). Those spam messages looked like this:

Subject: Customer Satisfaction Survey! Win 150$

Congratulations!

You have been selected by Woolworths Online Department to take part in our quick and easy reward survey. In return we will credit $150 to your account - Just for your time!

Helping us better understand how our members feel, benefits everyone.

With the information collected we can decide to direct a number of changes to improve and expand our services. The information you provide us is all non-sensitive and anonymous. No part of it is handed down to any third party groups. It will be stored in our secure database for maximum of 3 days while we process the results of this nationwide survey.

To access the form, please click on the link below :

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.