Bank phishing is a world-wide problem, but nowhere is it more widespread or sophisticated than in Latin America. Consumers throughout the Southern Hemisphere are constantly bombarded by Web links and spam attachments which present convincing displays that aim to steal usernames, passwords and other authentication tokens.
Barracuda Labs recently caught a particularly serious example of this sort of attack. Known as Win32.Ngrbot.llr, this malware intercepts the Internet traffic for certain banks and sends that traffic to a completely different webserver run by phishers. How it hides, and what it does, is especially interesting.
The attack starts out with spam. In this case, spam from the popular Movistar messaging service telling you that you have received a multimedia message (MMS) through their website. The "View Multimedia Message" button (Ver Mensaje Multimedia) in the message actually links to a malicious domain.
Clicking that button downloads a copy of Win32.Ngrbot.llr from a file hosting service. Windows does ask you if you are certain.
Running the file appears to have no effect. No multimedia message displays and no decoy website is visited by the Web browser. You are left to suppose that the message is broken somehow. That is not the case. It is busy in the background.
The first thing the malware does is to retrieve a text file from a possibly hacked domain.
This file looks exactly like a HOSTS file and the purpose of the contents is easy to see. Every domain on the left-hand side of the list is followed by an IP address on the right-hand side of the list. This configuration file instructs the malware to take all traffic from the listed banks and redirect it to the IPs found to the right of each domain.
That's exactly what happened in our tests. This graphic shows the correct IP address of bancofalabella.cl, 126.96.36.199.
But when the malware is running and a Web browser tries to visit bancofalabella.cl the browser retrieves the web page from 188.8.131.52, the same IP we saw listed in the malware configuration file.
A Web server at 184.108.40.206 serves a copy of the Banco Falabella website and appears very convincing. Seen side-by-side there is nothing to reveal the malicious website as an imposter.
What is more serious is that because the Web browser has been tricked, the URL displayed in the Web browser bar appears legitimate even when the malicious website is displayed.
Even though the main page for bancofalabella.cl has entry blanks for supplying login information, that page is not displayed using HTTPS. Because of this, a user is unable to determine that their credentials will be transmitted to the bank using HTTPS. Most large banks display all of their pages using HTTPS, and failure to do so makes the bancofalabella.cl website easier to spoof.
Sign up for CIO Asia eNewsletters.