Data Privacy Alerts ,

Towerwall Information Security Alert Vol 13.50 – Making phishing more complex – on purpose

By Michelle Drolet
25 Oct 2013

postpay

Earlier this week a colleague pointed out an intriguing phishing sample that he had come across. It was interesting not because of any great sophistication or complexity, but rather that it illustrated the reuse of an old social engineering trick. The brand being targeted in the phish campaign is Poste Italiane, a well-known Italian group that includes financial and payment services in its product portfolio.

We see numerous phishing attacks targeting this group each month, with attackers keen to trick their customers into unwittingly submitting their credentials to fake login sites. This latest attack takes a similar strategy to many recent phish campaigns, where the email contains a HTML attachment which the recipient is enticed into opening.
emailthread
From: “Poste Italiane S.p.A – Informazioni”
Attachment: scarica.html
The typical social engineering to entice the user into opening the attachment is evident:
To activate the “Security web Postepay ” you need to:
– Download the attachment, open it in the browser and follow the steps requested.
Curiously, there is reference to some password protection within the attachment, and a password is provided in the message body:
To protect your personal information, the attached file is protected by a password. Your word is unique: A2345L90
Sure enough, recipients tricked into opening the HTML attachment will be prompted for a password:
java

Inspecting the HTML attachment reveals the code behind this – simple JavaScript to prompt the user for a password, which is then used to decode a string:
code1

If the recipient types in the correct password (A2345L90 in this example), the string is decrypted and written back to the page:
code2

This then loads the phish page via the frame, which references a bit.ly shortened URL:
post 3

This article was originally published by Fraser Howard who is one of the Principal Virus Researchers in SophosLabs.