It might be nice, I thought, to finish my blogging for 2012 with a smile. Unfortunately, the smile I'm referring to here is as fake as a reality show contestant about to vote off a competitor. In fact, it's a series of classic phishing emails that have been crawling into my mailbox. So classic, in fact, that my first thought was to wonder how anything so crass could possibly have got through standard email filters. The second was that maybe this is a good opportunity to make some points about how to recognize a baited hook, even though in this case there's more hook visible than bait.

In this case, the emails look as if they came from Smile, the internet arm of the UK's Co-operative Bank. The fact that I've never had an account with the Co-op may be a bit of a giveaway, but I guess some of Smile's customers get phishing emails. Anyway, there's a good chance that the thing will turn up targeting users of other banking services. The other big giveaway here is that the email in each case is raw ASCII text, with not a logo in sight. That doesn't, of course, mean that if it's in HTML or rich text and festooned with the bank logo and other graphics, that it's genuine. Even if the graphics look real, rather than a made-up logo like the sort of graphics often used by Fake AV and other scams. It's all too easy to rip off a genuine logo.

First Phishing Email

20th December 2012, Dear Valued Customer

This is characteristic of generic 'fire and forget' phishing spam. If your bank needs to tell you something, even if it's just advertising services, it should be able to address you personally.

Spammed phishing emails are sent out willynilly to the same sort of mailing list that other spammers use. Though in the case of targeted attacks such as spear phishing, the attacker may know a great deal more about the target than his email address.

In this case, however, Valued Customer is just generic shorthand for 'Anyone who happens to be on the list I'm using who also turns out to be a Smile customer, and doesn't know enough about phishing to recognize a scam.' A slightly more sophisticated version is to use the email address, though it's hard to imagine too many people falling for 'Dear khjkg77@hotmail.com'. However, it's also possible sometimes for a spammer/scammer to guess at part - or all - of the account-holder's real name. In fact, it doesn't take much effort to automate the guesswork for an email address like fredbloggs@gmail.com, and it may not even be necessary, since most mail programs allow you to specify your real name in their settings as well as your user name.

We've sent you a secure message. Please log on here to read it.

A clear case of a scammer swearing that white is black. It's hard to imagine anything less secure than a message you have to access by clicking on an unverified link in an email message. Obviously, I've removed the link to a phishing site so that you can't click it accidentally (and replaced it with a dummy page I recently set up on one of my other blogs).

The original link took the form [sitename]/css/smile. It's normal for such malicious sites to include pages for other banks, each of which will present an interface that looks enough like the real thing for the victim to fall for it. However, not all malicious sites are so obligingly obvious. Sometimes the link looks legitimate, but takes you somewhere quite different, like this one: Bank of England. And there are more technically sophisticated ways of disguising a link.

When the victim presents his credentials the site will store or transmit them for the future use of the scammer. The site may then pass him onto the real site, or may simply put up an error message suggesting that the site is currently overloaded or undergoing maintenance.

But here's the rest of the message, complete with a 'reassuringly' official and totally meaningless Reference Number and one of those equally meaningless long, long disclaimers that real businesses are so fond of.

Thanks smile Ref: SF02
**********************************************************************
This e-mail is intended solely for the addressee and is strictly confidential. If you are not the intended addressee, please do not read, print, retransmit, store or act in reliance on it or any attachments. Instead please notify us immediately, e-mail it back to the sender and delete the message from your computer. E-mail transmission cannot be guaranteed to be secure or error free and smile accepts no liability for changes made to this e-mail (and any attachments) after it was sent or for viruses arising as a result of this e-mail transmission. Any unauthorized disclosure, reproduction, dissemination, copying, modification, distribution and/or publication of this e-mail message is strictly prohibited. Smile reserves the right to intercept any e-mails or other communication for permitted purposes in accordance with the current legislation which you send to, or receive from, any of the employees or agents of the smile via its telecommunication systems. By so corresponding you also give your consent to smile monitoring and recording of any correspondence using these systems. Unless stated otherwise by an authorized individual, nothing contained in this e-mail is intended to create binding legal obligations between us and opinions expressed are those of the individual author. Smile is the internet bank of The Co-operative Bank p.l.c. which is registered in England and Wales, number 990937. The registered office is at PO Box 101, 1, Balloon Street, Manchester, M60 4EP. **********************************************************************

The details at the end are correct but probably cut and pasted from the real web site.

The message headers are spoofed to make it look at a glance as if it comes from the real Smile (I've removed some of the fields):

Return-Path: <hello@mail.smile.co.uk>
Received: from mx01.stofanet.dk ([212.10.10.11])
            by mail5.atlas.pipex.net with esmtp (Exim 4.71)
            (envelope-from <hello@mail.smile.co.uk>)
Received: from 563470a2.rev.stofanet.dk ([86.52.112.162])
            by mx01.stofanet.dk (envelope-from
           <hello@mail.smile.co.uk>)
To: Recipients <hello@mail.smile.co.uk>
From: "smile" <hello@mail.smile.co.uk>

 

Second Phishing Email

And here's a little Christmas something they sent me as a follow-up:

25th December 2012, Dear Valued Customer To ensure your protection, access to your accounts has now been blocked. due to a system error { error code : 0c31e8 }. To re-gain access, you need to click the "log in" button below. Please logon here to re-gain your account Thanks smile

The message also includes the same meaningless reference number and disclaimers as the previous example. The message headers are spoofed in the same way, though the routing information is different.

This time, there's an attempt to increase the pressure by claiming to have blocked access to the account, including a spurious error code. Despite the amateurish misformatting and lack of personalization, it's possible that someone might be worried enough by this message to attempt to log in. (It doesn't matter if you do click one of these links: I've changed them  to something a little more harmless, though still a work in progress. You'll recognize it by the fact that it includes the same simulated tiger as the one above.)

What I do urge you to remember is this: while these 'tigers' look too fake to be scary, the only difference between these and many other generic phishing messages is that the perpetrators didn't bother to clothe the skeleton with the slick graphics we expect from large organizations. Next time you get an unsolicited email that seems to come from your bank, try to see past the presentation: does the message really make sense, or can you see phish-style social engineering beneath the gloss?

For more information and advice on phishing, you might find this paper useful: it's an all-in-one version of a blog series I put together a few months ago.

Envoi

This is likely to be my last blog for ESET in 2012, so I wish you all a prosperous and scam-free 2013. And in case you found the title puzzling, here's the limerick that I was quoting.

There was a young lady of Riga
Who smiled as she rode on a tiger;
They returned from the ride
With the lady inside,
And the smile on the face of the tiger.

Sometimes it's attributed to Edward Lear, but there is a version where the name at the end of the first line is 'Niger' instead of 'Riga', and attributed to William Cosmo Monkhouse. As a professional pedant, I can't quite like the fact that the rhyme in both versions depends on mispronouncing the placename, but there's no denying that this is one of the best-known examples of the limerick form - evidently, since the thing popped into my head when I started to think about a title for this blog...

The illustration is a simulated tiger and not suitable for AV product testing.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow