Yesterday morning, AVIRA specialists noted the e-mail spreading of a message that seemed to be part of a donations campaign, initiated by BNR (National Bank of Romania) in order to uphold the reconstruction of areas severely hit by floods this summer. The authors of this message were clearly taking advantage of the compassion and sympathy proven by the people after the recent devastating floods, in order to get card details and other personal information for identity theft purposes. Although this would be a first time for Romania, such practices are no longer new to the international IT environment, where they go by the name of phishing.
AVIRA reveals today a more detailed analysis of this phishing attack that involved the name of BNR (National Bank of Romania).
The fraud was crafted in a manner that appeared very credible and almost imperceptible for common citizens, who are not that familiar with current scheming to take advantage of Internet resources. While spreading by e-mail, the fake message was apparently sent by the National Bank of Romania, from the address initiativa@bnr.ro.
The e-mail looked as follows:
The email was coming from the address initiativa@bnr.ro but, if we look in the headers, the domain is server.hostbigger.com.
Unfortunately, SpamAssasin does not recognize the mail as strange:
X-Spam-Checker-Version: SpamAssassin 3.0.4-gr0 (2005-06-05) [...]
X-Spam-Level: *
X-Spam-Status: No, score=1.5 required=3.0 tests=FORGED_RCVD_HELO,HTML_40_50,
HTML_MESSAGE,HTML_TAG_EXIST_TBODY,MIME_HTML_ONLY autolearn=disabled
version=3.0.4-gr0 Now, the big question: Why do we say this is a phishing email?1. The illegitimate domain registration is incompleteThis is how the legitimate domain BNR.RO was registered, according to
http://server.rotld.ro/cgi-bin/whois?whois=bnr.ro&submit=Enter domain-name: bnr.ro
description: Banca Nationala a Romaniei
admin-contact: TP1003-ROTLD
technical-contact: TP1003-ROTLD
zone-contact: TP1003-ROTLD
nameserver: ns.bnr.ro 194.102.208.6
info: object maintained by ro.rnc local registry
info: Register your .ro domain names at www.rotld.ro
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
mnt-lower: ROTLD-MNT
updated: hostmaster-danacorb@rotld.ro 19981214
source: ROTLD
person: Tiberiu Parvulescu
address: Banca Nationala a Romaniei
address: Str. Lipscani nr 25, sector 3
address: Bucuresti
address: Romania
phone: +40-21-311 14 62
fax-no: +40-21-311 14 62
e-mail: tiberiup@nbr.ro We can see this is a fully registered domain. All the identification data are present, and they are valid.
However, for the rbn.ro domain, when performing the query
http://server.rotld.ro/cgi-bin/whois?whois=rnb.ro&submit=Enter domain-name: rnb.ro
description: MobiFon S.A.
description: Piata Charles de Gaulle, nr.15
description: Sector 1
description: Bucharest, Romania
description: Phone: +40-21-302 4156
description: Fax: +40-21-302 1475
admin-contact: IOS1-ROTLD
technical-contact: IOS1-ROTLD
zone-contact: IOS1-ROTLD
nameserver: ns7.dr.myx.net
nameserver: dnsbck.dr.myx.net
info: Mugur Isopescu
info: Lipscani 25
info:
info: cod fiscal / cod numeric personal:
info: Registered via xnet
info: The NIC for Romania is http://www.rotld.ro/
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
updated: domain-admin@listserv.rnc.ro 20050722
source: ROTLD
application-date: 20050722
domain-status: active
registration-date: 20050722
expire-date: 20060722 we can see that some things are wrong here:
1.1. Incomplete information of the domain owner: lack of phone and fax numbers, address, e-mail;
1.2. The name of the supposed owner appears to be a joke. It is a combination made up from the name of the BNR Governor (Mugure Isarescu) and the name of a TV program host (Emanuel Isopescu). This way, the result is a name that looks familiar to a lot of people.
It seems that routine had a say in this and RNC (Romanian National Computer Network - the main Romanian authority on .ro domains registration) did not notice these details when they arrived from Mobifon, which probably processed them automatically as well. Under normal conditions, a man-made analysis would not have allowed the registration of this domain.
1.3. The domain was registered on the 22 of July - a Friday, that is just before the weekend, when people use Internet for personal purposes mainly. Also, this could reduce the possibility of spreading the word about the fraud (considering many newspapers do not appear during the weekend and the media itself in focused on other issues).
2. The forged link in the e-mail When looking inside the source of the mail, you see the following fake link, among others who are perfectly legitimate:
<a href="http://www.rnb.ro/process~donatie/participare-bancicomerciale/RTGS">
<table><tr><td> <a href="http://www.rnb.ro/process~donatie/participare-bancicomerciale/RTGS" target="CONTINUT" > http://www.bnro.ro/process~donatie/participare-bancicomerciale/RTGS </td></tr></table></a>So, this is what makes it a real phishing email: it displays a legitimate link, specific to a BNR webpage,
http://www.bnro.ro/process~donatie/participare-bancicomerciale/RTGS
which then takes the user to a fake site, apparently identical to the National Bank's website
http://www.rnb.ro/process~donatie/participare-bancicomerciale/RTGS
where the user is prompted for debit/credit card details.
The technique used here is not new. However, it is not too often that we can see a table put inside a link.
This technique is especially used when pursuing to transform an entire area, which also includes images (a table, in this case) inside a link. It is not the the case here, the link being the only element in the table.
For security reasons, we will not display the format of the target page, which was specially crafted.
The first page, where the user was supposed to type in personal information and the credit/debit card details:
After validating the data, the user is prompted to type in the PIN code.
WARNING: The PIN code is NEVER requested during online transactions. This code is only used for direct payments, when shopping at a store or getting cash from an ATM.Finally, a "Thank You" message for the corresponding donation and even a numeric identifier is generated for the transaction.
3. The headers of the mailHere are other elements that prove that this mail is a phishing attempt:
Return-Path: McCandle@mccandless.mozcal.org
This address exists and is hosted by hostbigger.com, so it has no connection whatsoever with BNR, which is the alleged author of the message.
Received: from apache by server.hostbigger.com [...]
This proved that the mail was sent with some kind of email generator, probably web based (apache is the webserver).
Final ConsiderationsAfter noting these messages, AVIRA specialists proceeded to put an end to the fraud. Thus, they contacted Mobifon, the Internet provider that had registered the rbn.ro domain (destination of the forged link). Shortly after, by cooperating with Mobifon staff, the link was disabled and the respective domain suspended.
The authors of this phishing attack were requesting an insignificant amount of money, even for a medium-low Romanian salary. Thus, individual losses are apparently small, but the greater the number of participants, the higher the total amount. On another side, after getting the card number, nobody could prevent them from getting as much money as possible (or allowed by the limit set by the bank). Fortunately, by collaborating with Mobifon, AVIRA managed to stop them in due time in order to prevent a massive fraud.
After further investigations, two sources of the phishing attack were discovered.Here are the only differences between the two:
1. Subject:
1.a."Initiativa Bancii Nationale a Romaniei (BNR) - colaborare" (received at 07:25 AM) and
1.b."Initiativa Bancii Nationale (BNR) - solicitare" (the one that was already analyzed), received at 08:05 AM.
2. Distribution method:
The first e-mail (1.a) came from a distribution list that was created with List Builder, as it was written at the end of the message. The second one (1.b) was sent directly to every e-mail address, using, most probably, a Web Generator.
Detailed analysis of the first e-mail sent on the list: As mentioned above, the first e-mail was carrying at the end the signature of the distribution list it was sent through:
"
Powered by List Builder
Click here to change or remove your subscription
"
The link takes us to the website lb.lbcentral.com, where we are asked:
"
What would you like to do?
Your email address:
email
To unsubscribe from the mailing list, click the Unsubscribe button.
If you wish to remain on the mailing list, but would like to update your personal information click the Change Preferences button.
"
After clicking on "unsubscribe", we get the unsubscribe message:
"Your email address and preferences have been removed from the Banca Nationala a Romaniei mailing list as you requested." It's worth mentioning that the website bcentral.com is specialized in creating commercial distribution lists (its name comes from Business Central) and is property of Microsoft.
When accessing the link www.bcentral.com , we are redirected to http://www.microsoft.com/smallbusiness/online/email-marketing/list-builder/detail.mspx.
As such, we noticed there were two ways for creating distribution lists, both of them charged. The first one offered a list trial version, but, in the end, both required a payment for being used. It is possible to find out that the card used for payment was also stolen.
Conclusions This theft operation was carefully organized. The authors chose the easiest domain registration method, probably by using a prepaid Connex card. Thus, no identification was necessary, as seen in the false domain registration details.
