[A much shorter version of this article appeared in the October 2013 Threat Radar Report as 'The Thoughtful Phisher'. As these particular scam/spam campaigns don’t seem to be diminishing, however – indeed, some of the phishing techniques seem to be getting more sophisticated – I thought perhaps it was worth updating and expanding for a wider audience. In fact, I’ve got so many new samples it’s going to take me several blog articles to get them all in, and that’s just the interesting ones.]

Now the New Year, reviving last Year's Debt,
The Thoughtful Fisher casteth wide his Net;
So I with begging Dish and ready Tongue
Assail all Men for all that I can get.

(The Rupaiyat of Omar Kal'vin, Rudyard Kipling)

 

Small Blue-Green World

Small Blue-Green World

I know New Year is a little way off yet. However, I’ve been interested in the past month or two to see a minor avalanche of phishing scams, most of them targeting users of NatWest, Lloyds and the Halifax (all banks with huge customer-bases in the UK). There’s a pronounced family resemblance between these scams. While the earlier ones mostly point to phishing sites apparently hosted in Poland (*.pl) or Niue (*.nu), the most recent include *.be (Belgium – what would Poirot say???) *.br (Brazil), *.es (Spain), *.cl and *.za (South Africa) domain names. I say “apparently” because domains used for phishing are by no means always authentic, registered domains and there’s no guarantee that these regional suffixes offer any real clue as to the geographical location of the scammer. In any case phishing sites come and go all the time as they’re spotted, blacklisted, and replaced.

On the other hand, if your bank or credit card provider is based in the UK, the chances are that it either has a local domain (*.co.uk) or a (*.com) domain. There may be less obvious possibilities, but an address for a UK bank apparently hosted in South America or Eastern Europe should really ring alarm bells, if only because these are regions particularly noted for phishing activity.

Nevertheless, an apparently legitimate TLD (Top Level Domain) can be spoofed in a variety of ways. That’s why we always recommend that you don’t click on a URL (web address) in any message that could be a phish. Instead, you should be able to navigate from a known, authentic URL. Still, if a URL looks blatantly improbable, that’s a pretty good reason to ignore it immediately and completely.

One way of getting some further insight into the validity of a link is to check the Top Level Domain with a reasonably reliable source like this one. Not only will this tell you in some instances that ‘your bank’ is apparently operating a web site somewhere quite unexpected like the middle of the Pacific, but it may also tell you that there’s something phishy about the email address from which a message appears to have been sent.

  • Why would an English bank send you emails from Peru?
  • Why would any bank send you emails from a domain called boat.com? (Must be a phishing boat…)
  • …Or from parish.net? I know nets are used by phishermen – sorry, fishermen – but clergymen? (I was wondering if it was in good taste to use a ‘phisher of men’ biblical reference here but an article on the phys.org web-site got in first, so the question is academic anyway.)

Oddly enough, while some of the apparent sender addresses in this particular kettle of phish are spoofed – as you’d expect – so as to look as if they were sent from a real domain owned by a phished bank or building society, others make less of an attempt to look like a real bank address. So as well as ‘info@lloyds.com’, ‘onlineservice@nationwide.com’, we have ‘info@nbs.mobi’, ‘secure@lloydsbank.mobi’ and ‘info@lloydsbank.mobi’. These at least sound as if they have some tenuous connection with the banking industry, except that major banks don’t usually sit on the .mobi domain, but ‘info@services.com’, and ‘info@service.mobi’ are almost as generic as ‘info@yahoo.com’ would be. (That’s just an example, not a known phishing address.) Meanwhile ‘info@box.com’, ‘review@dot.com’, and ‘info@be.mobi’ really make no effort at all to sound like a bank.

As we always say, you shouldn’t expect email to be genuine just because it seems to come from [yourbank].com, but you should be even more sceptical if the sender’s address looks the least bit ‘odd’. For instance, a Hotmail or Gmail address: that is, something that doesn’t sound like a legitimate bank email address (like the above-mentioned boat.com). Not that Hotmail or Gmail addresses can’t be legitimate in the right context, but respectable financial institutions can afford to use addresses that are clearly from their own domains.

It’s also worth checking the address that the mail is sent to. If the ‘To’ field is empty, that means it’s been blind-copied, and that suggests that it’s been sent to several recipients. If it’s sent to ‘Recipients’ or ‘Customers’, it’s certainly been sent to many people. And if, despite that, it includes a link that sounds as if it should be personal to you (like one that’s supposed to enable you to log in to fix a ‘problem’) that should certainly tell you that something is very wrong. But you should be suspicious if the mail includes any link, even if it doesn’t look particularly odd. (I know ‘odd’ is rather a broad term, but there are some examples of oddity given below.)

We’d always advise that even if a login link looks OK, it’s safer to go through a URL known to be legitimate, not the one that’s given in an email. Unless, at any rate, you have no doubt at all that the email is genuine (like one you’ve verified with the sender by other means). And in general, any email apparently requiring you to click on a link in the message in order to log in to your account is either fake or sent by a bank that knows so little about phishing that you probably ought to consider banking elsewhere.

Here are some typical (and typically odd) sender addresses along with the subject of the message they accompany. N.B. email addresses can be (and usually are) spoofed, so an address might look much more authentic than these: still, while scammers continue to use addresses that don’t look genuine, they’re worth noting as a potential heuristic. It’s actually unlikely that any email address given here is genuine.

Address (apparently from…) Subject
NatWest Card Services [info@service.mobi] REFUND SLATED ON YOUR ACCOUNT
Nationwide Building Society [info@nbs.mobi] Nationwide - Security Certificates Update
Lloyds Bank [secure@lloydsbank.mobi Lloyds Bank - Existing Customer Notification
Lloyds Bank [info@lloydsbank.mobi] Lloyds Bank - Existing Customer Notification
Nationwide [info@box.com] Nationwide - Resolve Your Account
Nationwide [info@services.com] Nationwide - Upgrade Notification.
Halifax [info@halifax.co.uk] LloydsTSB - Account Upgrade Notice
NatWest Credit Card [xx@kio.com] NatWest Credit Card Security upgrade - Must Read
NatWest Card [info@pe.mobi] NatWest Card - Important Notification.
NatWest [server@parish.net] Natwest Credit Card Online Services Review
NatWest [veri@cred.com]  Important Notification On Your NatWest Card
NatWest Card Services [info@bt.mobi] Verify The Error On Your NatWest Card.
MINT [service@mn.mobi] Your MINT Card Important Notification !
Lloyds Bank [sin@resolve.com] New security notice on your Lloyds account
MINT [info@edi.mobi] Fix The Error On Your MINT Card.
MINT [info@large.mobi]  Fix The Error On Your MINT Card Account
Lloyds Bank [i@noreply.com] Account Notification
Lloyds Bank [noreply@lloydsonline.com] Online Customer Identification Requirements
NatWest  Card Service [card@boat.com] NatWest Credit Card Security upgrade - Must Read
NatWest Card [info@vu.mobi] NatWest is giving you a chance to shop for free !
NatWest Credit Card [wages@salary.com] Your NatWest Card Important Notification
NatWest Card [info@be.mobi] NatWest Important Security Notification.
NatWest [review@dot.com] NatWest Card Online Service Review
Santander [onlineregistrations@santander.co.uk] Pending Incoming Credit Notification [or]Pending Credit Alert
NatWest [info@lt.mobi {NatWest Card Service Secure Message}

And these are some of the links: on the left is the text that it conceals unless you’re the sort of professional sceptic (like me) who always passes his mouse over the link to see where it really goes, even if he has no intention of following it.

What you see What it links to
Kindly Click here now. hxxp://www.enocowanie.net/model/Natwest-Card/
LOG ON HERE hxxp://rygielska.pl/wp-includes/css/txt.htm
Click here hxxp://drukujfoto.pl/fotogaleria/formularze/xy/rrs.htm
click here to avoid services interruption  hxxp://static.teatrwybrzeze.pl/phpThumb/docs/rrs.htm
click here hxxp://succesformule.nu/frm.htm
SECURE ACCOUNT hxxp://www.lebenstraum-immo.de/kickers/images/fbfiles/images/gou.htm
click fraud text alert services hxxp://www.villademerlo.gov.ar/vecino/libraries/wp.htm
Resolve Your Nationwide Account hxxp://www.globalla.pl/views/img/prettyPhoto/default/NATIONWIDE/nationwide.co.uk.htm
Click Here to avoid services interruption hxxp://www.quady-gorzow.pl/images/cms/Natwest-Card/
That was me. hxxp://www.toiture-antony.lu/ps.htm
That was NOT me. hxxp://www.toiture-antony.lu/ps.htm
Yes, I made this request. hxxp://www.plasticadosonho.com.br/txt.htm
No, I did not make this request. hxxp://www.plasticadosonho.com.br/rrs.htm
Resolve Here hxxp://www.csie.ncue.edu.tw/csie/include/wp.htm
Confirm Pending Credit hxxp://vservetech.com/files/wpThumbnails/error.php
Unlock Your NatWest Credit Card Online Services hxxp://www.bornllibres.com/content/user_images/tiny/mcith/Natwest-Card/

In the next article in this series, we’ll look at some specific messages and see what we can learn from them about the kind of social engineering that scammers use.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow