Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Phishing Messages May Include Highly-Personalized Information InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phishing Messages May Include Highly-Personalized Information

Published: 2006-03-17
Last Updated: 2006-03-17 01:15:06 UTC
by Lenny Zeltser (Version: 3)
0 comment(s)
Phishing messages are becoming increasingly personalized in attempts to convince the recipients to trust originators of the messages. A phishing email recently submitted to us illustrates this trend. In this case, the message that arrived in the victim's inbox included the person's full name and postal address:



The message masqueraded as a CitiBusiness banking alert, claiming that an unauthorized access attempt occured from 81.190.253.29. The "click here" link led to a fraudulent website hosted at citibusinessonline.da.us.citibank.com.citionline.ru. The whois record for citionline.ru indicated that the Russian domain was registered a few days prior to the attack.

Where does the personal data come from? In this incident, this victim rarely used his/her full name online, and the name was not included in phone directories. It is possible that the scammer obtained the data from diverse sources and was able to link the fields (name, email address, and postal address) together. More likely, the data originated from a website that stored billing details or from a compromised credit card processor. Yet another possibility is that the scammer purchased the data from legitimate consumer data providers. Even if the scammer was not certain that the victim's records were correct, even a small number of matches would increase the number of fooled victims.

If you were wondering what awaited the victim at the website set up for the phishing attack, wonder no more:



Mimicking the real CitiBusiness Online website, the phishing site allowed the victim to enter his/her Business Code by clicking on images of numbers in the form. The URL that brought the person to the fraudulent site included a unique identifier that allowed the site to track email recipients. It is possible that the identifier was used to pull up the victim's records from the fraudulent site's database; another possibility is that the victim's name and address were actually encoded in the URL string. As a result, two screens later, the victim was presented with his/her postal address and full name without having to supply them to the site:



After allowing the victim to correct the address, the site prompted the person for additional sensitive information, such as date of birth, social security number, and mother's maiden name:



We reported this phishing attempt to Anti-Phishing Working Group and Citibank. If you have witnessed highly-personalized phishing scams of this nature as well, please send us the details.

Update: We received another instance of the scam that was part of this phishing campaign. The message had the same properties as the one described above, and contained the receipient's full name and postal address. Rather than directing the victim to citionline.ru (81.177.14.13), this message linked to citisupport.ru (194.135.103.19).  Both messages claimed that the unauthorized logon attempt that prompted the "alert" occurred from IP address 81.190.253.29. A quick web search revealed yet another instance of this scam, which seems to have started as early as two weeks ago.

This note incorporates comments from several ISC handlers. I am very grateful for their contributions.

Lenny Zeltser
ISC Handler
www.zeltser.com
Keywords:
0 comment(s)
Diary Archives