Here’s a phish one of ESET’s partners drew our attention to: it’s aimed at users of Maybank (http://www.maybank2u.com), the largest financial services group in Malaysia. The scam is somewhat more elaborate than many we see, and it’s worth a little analysis to see what flags we can extract from it for spotting a phisher at work
From: Maybank Online Account [mailto:email@example.com]
[That looks like a genuine address, but it's spoofed: you'd need access to the mail headers to confirm that, though.]
Sent: Friday, 27 February, 2009 1:45 PM
Subject: Dear Account Holder,
[They have your money, but they don't know your name? Lack of personalization is a pretty reliable indicator of spammed, fraudulent mail.]
Dear maybank2u Account Holder,
[See above: but even if it used your email address, that wouldn't be much better. It's pretty easy to script a spam mailout to insert each recipient's email address. It's even feasible to parse the address to extract what may be the name of the account holder: however, that can result in curious effects like "Dear jero664..."]
Maybank2u would like to inform you that an increased number of merchants and ATMs in your country have experienced data compromises of payment cards used in their stores and at their ATMs, and that your funds may be at risk. To protect yourself, please follow the next steps :
[This is the threat: it's intended to panic you into taking an unconsidered, incautious action like giving your details to a complete stranger. The next section, however, is where it gets interesting. Most phishes tell you to click on a link which will take you to a fake site. This one does something quite different.]
* Log in into maybank2u online account
[URL removed, but this is the real bank site]
* You must request for TAC online via maybank2u – your TAC will be sent via SMS to the mobile phone number you registered at the ATM.
( you can find the "request a TAC" button in the right menu of your account "Utilities" )
[As I don't have an account there, I haven't checked this personally, but apparently this involves accessing the genuine site and requesting a Transaction Authorization Code (TAC). This is only supposed to be sent to a mobile phone number which the owner has registered with the bank over the counter. So how does this benefit the scammer?]
* Logout from your maybank2u account and close the browser.
* When you have received the TAC (Transaction Authorization Code) on your mobile phone, open the secured form attached to email and submit the requested information
( Account user ID, password and TAC )
Please allow 48 hours for processing
[In other words, please give me 48 hours to wreak havoc with your finances.]
maybank2u Risk Management Department
[Have a nice day!]
I’m sure you can see ways in which this approach to be localized to map to where you live!
Thanks to Quah PK for bringing this to my attention.
David Harley BA CISSP FBCS CITP
Director of Malware Research