Here's a phish one of ESET's partners drew our attention to: it's aimed at users of Maybank (http://www.maybank2u.com), the largest financial services group in Malaysia. The scam is somewhat more elaborate than many we see, and it's worth a little analysis to see what flags we can extract from it for spotting a phisher at work

From: Maybank Online Account [mailto:admin@maybank2u.my]
[That looks like a genuine address, but it's spoofed: you'd need access to the mail headers to confirm that, though.]

Sent: Friday, 27 February, 2009 1:45 PM
Subject: Dear Account Holder,
[They have your money, but they don't know your name? Lack of personalization is a pretty reliable indicator of spammed, fraudulent mail.]

Dear maybank2u Account Holder,
[See above: but even if it used your email address, that wouldn't be much better. It's pretty easy to script a spam mailout to insert each recipient's email address. It's even feasible to parse the address to extract what may be the name of the account holder: however, that can result in curious effects like "Dear jero664..."]

Maybank2u would like to inform you that an increased number of merchants and ATMs in your country have experienced data compromises of payment cards used in their stores and at their ATMs, and that your funds may be at risk.  To protect yourself, please follow the next steps :
[This is the threat: it's intended to panic you into taking an unconsidered, incautious action like giving your details to a complete stranger. The next section, however, is where it gets interesting. Most phishes tell you to click on a link which will take you to a fake site. This one does something quite different.]

 * Log in into maybank2u online account
[URL removed, but this is the real bank site]

* You must request for TAC online via maybank2u - your TAC will be sent via SMS to the mobile phone number you registered at the ATM.
( you can find the "request a TAC" button in the right menu of your account "Utilities" )
[As I don't have an account there, I haven't checked this personally, but apparently this involves accessing the genuine site and requesting a Transaction Authorization Code (TAC). This is only supposed to be sent to a mobile phone number which the owner has registered with the bank over the counter. So how does this benefit the scammer?]

* Logout from your maybank2u account and close the browser.
[Ok...]
* When you have received the TAC (Transaction Authorization Code) on your mobile phone, open the secured form attached to email and submit the requested information
( Account user ID, password and TAC )

[And this is where it all becomes clear. The attached form is, in fact, a JavaScript to a site in China that has nothing whatsoever to do with Maybank. It's just another link to a fake web site. The previous procedure performs three main functions:

  • It obscures the fact that this is just a link to an unvalidated site with no proven connection to the apparent sender.
  • It sets up the victim to acquire all the information the scammer needs to plunder his account
  • It looks as if the procedure is a comprehensive, safe, genuine validation procedure (indeed, it apparently really is), so the victim is off-guard when the last stage of the con is executed: the fact that the procedure actually seems lengthy and a little bureaucratic reinforces the victims sense of false security.

Please allow 48 hours for processing
[In other words, please give me 48 hours to wreak havoc with your finances.]

Thank you,
maybank2u Risk Management Department
[Have a nice day!]

I'm sure you can see ways in which this approach to be localized to map to where you live!

Thanks to Quah PK for bringing this to my attention.

David Harley
Director of Malware Research