Phishy Behaviour Down Under

I don’t really need to introduce this piece from Sam Varghese of the Sydney Morning Herald. It touches on a theme I’ve harped on before: How banks still don’t understand phishing and how it has changed consumer attitudes, and how it must change the way banks approach the Internet.

Phishy behaviour or harmless spin points to emails sent out by Westpac banks, which contain “four links, none of which goes to a secure link, nor to the main Westpac site.

Asked why the bank still sent emails despite the prevalence of online scams, a Westpac spokesman said the bank thought it was a “good idea.””

Banking Sites And The Popup

Here’s one of those moments when you wonder whether banks have yet got on online security.

The Melbourne Age, reporting from the birthplace of phishing, reports today that customers of Australia’s Westpac bank are getting flummoxed by the appearance of a new pop-up window on its Internet banking page.

The pop-up, according to one user, who spoke to ABC Radio 774, “said she had encountered a pop-up that had a 44-page agreement and she could not log in until she clicked on it. … She told 774 she had been unable to send an email to the Westpac support personnel unless she accepted the agreement.”

Westpac, according to The Age, “said the bank had changed some terms and conditions of its service – favouring customers – and as part of the industry code of practice, it had to get customers’ assent.” It has since put the pop-up on hold.

Good intentions, possibly (although who has ever found a user agreement that favours them over a previous agreement?), but banks have got to get up to speed on the fact that pop-ups are a classic phishing tactic. So adding a pop-up to your site is going to make the savvy customer nervous and the uninformed customer think it’s normal to have lots of pop-ups on a banking site.

Bottom line: Simplify banking sign-ons and reduce the tendency to add stuff — such as pop-up agreements, pop-up ads, indeed any kind of ads before or after signing in that may confuse the user about the authenticity of the site, and, importantly, whether they have safely signed off.

Anatomy Of A Phishing Trojan

Phishing emails don’t need to be sophisticated to lure the unwary. Indeed, there’s some evidence those behind the more convincing looking emails masquerading as bank emails are also behind a spate of key-logging trojans, which use basic methods to fool the recipient into making them active.

Australian Daniel McNamara of anti-phishing website Code Fish has found a new trojan that does a scary amount of work; he believes it’s the same phishing gang which recently launched attacks against his website and which targeted Westpac and ANZ banks. The emails themselves contain no special tricks, just plain text mentioning something newsy about Australia and offering a link to read more.

In this case it’s not the emails themselves that are sophisticated (in fact, their very simplicity may be the lure); it’s the website they link to (the website in question, apparently, is a cracked Windows XP machine sitting on a broadband link in Canada). All the user sees there is a blank page, whereas in fact, for unpatched Internet Explorer users, the website quickly uploads a trojan into the user’s computer using a Java applet built into the web page. All it takes is a second, and all the user might see, if his eyes are quick, is a message appearing for a few seconds in the status bar at the bottom of the browser window: “Applet intialising..” Now his computer is infected.

It’s worth taking a look more closely at the payload, courtesy of Daniel’s groundbreaking sleuthing. The trojan copies the contents of a file to the Windows directory. It then creates an executable file, which is then launched. It creates a subfolder in the Windows directrory called “ijn” in which it then places two files, nm32.exe and mn32.dll. The executable is then deleted. A small text file is created in the same directory.

This is all so well-hidden from view only a real expert could know it was going on. As far as Windows is concerned the trojan and the directory it created doesn’t exist, even in the Windows Task Manager, even with “show hidden files/directories” turned on. As Daniel says, “somehow the trojan has set up a ‘screen’ so that the overlying Windows GUI denies their existence. Judging from what we found out later it’s because it’s managed to place some hooks into Explorer that allow it to basically become invisible to the average end user.”

Behind the scenes, however, the trojan is busy. As soon as a user visited an Australian banking site it will log all keystrokes to a file, in the same directory, called “kbd.txt”. The results are then emailed to a server in Russia. The ps.txt file, the other file created by the trojan, is delivered via FTP — a standard to send one file from one computer to another over the Internet — which appears to include, Daniel says, passwords stored on the victim’s computer, including those for Outlook Express, AOL and possibly Microsoft’s Passport. The FTP site is hosted on a computer belonging to a web hosting company in the U.S.

In other words, this trojan not only captures your banking passwords, it also trawls around for any kind of passwords on your computer that may prove useful.

So who’s behind it? There are a couple of clues: The email appears to be delivered to a Russian email address ( There’s also a snippet in one of the files that would seem to indicate the author, or someone involved in the trojan’s creation was Russian, or at least East European.

There are a couple of points worth making here:

  • The weekend attack: These attacks happen too quickly for anti-virus companies, but particularly if they hit at weekends. Daniel says he spotted the trojan on Friday night, but said the website that supported it was not working until midday Saturday, Eastern Australia time (This is Friday afternoon/evening, U.S. time). Within an hour or two he had heard from one person was infected after his anti-virus software failed to stop it. Daniel says he forwarded the trojan to the anti-virus companies late Saturday (Australian time), but so far there’s no sign they’ve updated their libraries, or posted a warning.
  • Phishers are not just after your bank details. They could also make use of your other passwords — remember, the trojan loading website was on a hacked broadband computer (probably a home computer) in Canada, which may or may not have been hacked into. The FTP site was a on a legitimate web hosting server in the U.S., where an account had been hacked into.
  • Phishing is not just fancy graphics. Phishing is about social engineering, but it can be primitive, and still successful. This was a plain text email but with enough appeal to get someone to click on the link. (Indeed, with public awareness of the more sophisticated phishing attacks growing, this may be a deliberate move on their part.) Daniel’s convinced the people behind this one are behind others: He points to the fact they use exactly the same technique to upload the trojan as in previous attacks on Westpac and ANZ customers.
  • Sophistication This trojan does add some elements to the mix that show how, with every attack, the folk behind them get smarter. There’s really no evidence this trojan has gotten onto your computer and resides there unless you take a real, close look.

Bottom line: Phishers use lots of different methods, and lots of different tricks, to get a broad range of information out of you. And, if they hit at weekends, anti-virus companies may be asleep at the wheel, so don’t rely on them.