by Dave Michmerhuizen & Luis Chapetti – Security Researchers
Bank phishing is a world-wide problem, but nowhere is it more widespread or sophisticated than in Latin America. Consumers throughout the Southern Hemisphere are constantly bombarded by web links and spam attachments which present convincing displays that aim to steal usernames, passwords and other authentication tokens.
Barracuda Labs recently caught a particularly serious example of this sort of attack. Known as Win32.Ngrbot.llr, this malware intercepts the internet traffic for certain banks and sends that traffic to a completely different webserver run by phishers. How it hides, and what it does, is especially interesting.
The attack starts out with spam. In this case, spam from the popular Movistar messaging service telling you that you have received a multimedia message (MMS) through their website. The “View Multimedia Message” button (Ver Mensaje Multimedia) in the message actually links to a malicious domain.
Clicking that button downloads a copy of Win32.Ngrbot.llr from a file hosting service. Windows does ask you if you are certain that you want to run the file. Running the file appears to have no effect. No multimedia message displays and no decoy website is visited by the web browser. You are left to suppose that the message is broken somehow. That is not the case. It is busy in the background.
The first thing the malware does is to retrieve a text file from a possibly hacked domain.
This file looks exactly like a HOSTS file and the purpose of the contents is easy to see. Every domain on the left-hand side of the list is followed by an IP address on the right-hand side of the list. This configuration file instructs the malware to take all traffic from the listed banks and redirect it to the IPs found to the right of each domain.
That's exactly what happened in our tests. This graphic shows the correct IP address of bancofalabella.cl, 220.127.116.11.
But when the malware is running and a web browser tries to visit bancofalabella.cl the browser retrieves the web page from 18.104.22.168, the same IP we saw listed in the malware configuration file.
A web server at 22.214.171.124 serves a copy of the Banco Falabella website and appears very convincing. Seen side-by-side there is nothing to reveal the malicious website as an imposter.
What is more serious is that because the web browser has been tricked, the URL displayed in the web browser bar appears legitimate even when the malicious website is displayed.
Even though the main page for bancofalabella.cl has entry blanks for supplying login information, that page is not displayed using HTTPS. Because of this a user is unable to determine that their credentials will be transmitted to the bank using HTTPS. Most large banks display all of their pages using HTTPS, and failure to do so makes the bancofalabella.cl website easier to spoof.
Indeed, our subsequent tests showed that the fake website was unable to display HTTPS pages. The legitimate BancoFalabella website did reject a fabricated login and password.
The spoofed website accepts anything offered as a login and password because it has no way to check them for validity. Instead, it saves them to use for bank fraud and identity theft. We know something is wrong with this website because after accepting false credentials a broken webpage is displayed. Unfortunately, by the time someone using an infected computer sees this broken page it is too late – their credentials have been captured by the malicious server.
In prior tests, this webpage also asked for a Digipass token. Digipass is a secondary authentication device often used by Latin American banks. Surrendering this token would give phishers everything they need to empty a bank account.
Malware such as this reinforces the need to be careful when using the internet. Never click on links in emails. Never, EVER, run programs that unexpectedly ask for permission to run. Buy a reputable desktop antivirus program which offers behavioral detection technology, and keep it up to date.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service block the traffic from this threat.