Unfortunately, we'll be meeting phishing mails and malware campaigns for a while yet. My friend and colleague Urban Schrott of ESET Ireland has advised me of a massive run of targeted scam emails spamming Irish mailboxes, all with various attempts to scam Permanent TSB customers. The emails come with subject lines like “Your access to Open24 online banking has been locked”, “Your account has been temporarly suspended”, “We found suspicious activities on your account - Please read details!”, “Permanent TSB - Customer Notice”, “Open24 Internet Banking Account Notification” and they arrive from spoofed email addresses like info@permanenttsb.ie, security@permanenttsb.ie, customersecurity@permanenttsb.ie, These addresses are all engineered to reassure recipients these addresses are the real thing. However, I've been seeing what appears to be a similar upsurge in phishing and other malicious emails in the UK, and they seem more than usually successful at bypassing spam filters maintained by major email providers and ISPs.

When you're smiling...

Perhaps the Smile phishers I mentioned in my previous blog are among my readers (for international readers, Smile is the Internet arm of the UK's Co-operative Bank). Anyway, it seems these phishers have picked up on the fact that the old-school all-text phishing email is less likely to convince nowadays than one that actually includes a logo. Preferably one that's really associated with the bank or financial institution from which the email is supposed to originate. And yes, the latest little beauty I've received actually contains a Smile logo. Or to be precise, a link to a Smile logo that can be found as a .GIF on the real bank's web site. And here is the message text.

Dear Client,

Our technical security services department has notified an
error on your account, which may lead to your account
suspension.

For you to gain access back to your account. you are required
to follow the instructions below

  • Instructions
  • All Smile Bank customers are required to fill their
    account information properly.
  • Failure to do so will be automatically de-activated from
    its account from our database.

Click here to proceed

We are sorry for the inconvenience this may caused you
and thank you for banking with us.

Sincerely,
Smile Banking.

Some of the other characteristics of the previous text-only messages such as the meaningless reference numbers and the long disclaimers have disappeared. However, the social engineering hook remains: that is, the threat we might summarize as "Click on this [object, in this case a link] or something bad will happen [we'll trash your account!]

For the Journey

Subsequently, I received on the same account a somewhat similar phishmail that appeared to originate with Lloyds TSB (though the text-only format and the blatantly wrong email address llyods.tsb@theaspenmodellingcompany dot com weren't very convincing).

YOUR INCOMING PAYMENT WAS PUT ON HOLD

Dear Customer,

We are unable to process an incoming payment to your account  due
to difficulties in verifying your Account.

Please download the file attached to this email , fill out the
information required to review your account and press continue.

Because email is not a secure form of communication, this email
box is not equipped to handle replies.

Thank you for your prompt attention to this matter.

Internet Banking Security,
Lloyds TSB Banking Group

Well, I think they've proved the point about email not being a secure form of communication. The phishing component is an attachment called Your Lloyds TSB Secure Account Details.htm. It looks a lot more convincing, with its Lloyds TSB logo, lots of links that go directly to pages on the real site (in case you can't remember your password, for example: very helpful of them to provide that, though of course it's for their benefit, not yours), a reassuring padlock icon copied directly from a Lloyds TSB page, and so on. The big gun in the scammer's armoury here, though, is the form below. (Links and some other content and formatting have been removed.)

You're logging into a secure site

How can I tell that this site is secure?

Welcome to Internet Banking

Complete security verification required.

Please enter your information correctly below to proceed

User ID: [ ]
Password: [ ]
Memorable Information: [ ]
Mobile Number:  [ ]
Home Phone Number: [ ]
Date of Birth (dd/mm/yyyy): [ ]

Remember my user ID [ ]

Tick this box to save your user ID on this computer. This won’t save your password though. You’ll still have to enter it each time you want to access your account.

Warning: Don’t tick this box if you’re using a public or shared computer

Tip - We’ll never ask you to enter your security details on a pop up window

This is a pretty good example of a phish that uses enough of the real site's security features to give it lots of credibility without actually hampering its ability to circumvent those features. Moral: what looks like a security site to you could be full of tricksy little holes, and might not even be a site. Go to a URL you know you can trust, not something linked from an email. I particularly like the tip at the end: since this is an HTML attachment, there is no need for a pop-up window, but that sure doesn't mean it's a safe form.

Sign up for fake security

Unfortunately, I inadvertently deleted another phishing email on my phone before I could capture it as an image. It was apparently from Lloyds TSB, but with a more interesting hook, but I can't give you the precise wording. The gist of it, however, is this:

  • A generic description of what phishing is. (Not very accurate, but no worse than that of some banks: maybe lifted from a bank site.)
  • A recommendation that I sign up for security alerts.
  • A link to a site that was definitely not Lloyds/TSB, and presumably to a form that requires you to enter sensitive details in order to 'sign up.'.

Full marks for chutzpah, I guess.

A parcel you don't want to open

And finally, here's a recent example of a type of malicious email very similar to those flagged by Dancho Danchev earlier this month.

This time, the malicious code is in the attachment, which is not, of course, a postal receipt. This isn't phishing, as such, though there's an element of identity theft, of course. The aim here is to give a remote attacker full access to the victim's machine, which is recruited into a botnet. There's nothing new about delivering malware in the form of an email that ostensibly comes from a parcel carrier service, but the fact that the campaign is still continuing suggests that it's been successful. Not surprisingly, given the time of year.

Mind the gap

If you're looking at these and thinking "so what? It's the same old low-grade jive!" think again. Right now malware and phishing forms apparently from reputable companies seem to be particularly successful at getting through mail services with exceptionally good filtering. Now, as ever, you need to be aware that you can't rely on mail provider filtering and security software to protect you from all attacks. But scepticism and common sense will go a long way towards plugging the gaps in your defences.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow