Bank UBI Fraud – Phishing Domain

Hi,

The following blog entry is the result of a research accomplished by Me and Emdel from Playhack that received the mail and with me wrote the paper.

The scam email is the following:

_________________________________________________

GENTILE CLIENTE DI _BANCA UBI,_ Il Servizio Tecnico di Banca UBI Online sta eseguendo un aggiornamento programmato del software bancario al fine di migliorare la qualita dei servizi bancari. Le chiediamo di avviare la procedura di conferma dei dati del Cliente. A questo scopo, La preghiamo di cliccare sul link che Lei trovera alla fine di questo messaggio. CLICCA QUI PER CONFERMARE [1] Ci scusiamo per ogni eventuale disturbo, e La ringraziamo per la collaborazione. &copy Gruppo UBI Banca 2008 Links:

_________________________________________________

Which contains the following link:

• http://79.165.218.183/login.php

It is clearly a phising site this url: http://79.165.218.183/login.php In fact there is not a secure connection so loved by the banks, and the url is mainly a ip address. Looking at the browser bar we can see a redirection:

• http://quiubi-line.com/hd/login.do.php

This last URL give us the following reply:

HTTP/1.1 302 Found

Date: Sun, 28 Sep 2008 12:53:17 GMT

Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c

X-Powered-By: PHP/5.2.0-8+etch10

location: http://quiubi-line.com/hd/login.do.php

Content-Length: 0

Connection: close

Content-Type: text/html; charset=WINDOWS-1251

Dissection

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//IT” “http://www.w3.org/TR/html4/loose.dtd”&gt;

<html><head><title>Gruppo UBI Banca – Qui UBI – LOGIN</title>

<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>

<meta http-equiv=”CONTENT-LANGUAGE” content=”Italian”>

<meta http-equiv=”Expires” content=”Dom, 01 Gen 2006 11:56:50 GMT”>

<meta http-equiv=”Pragma” content=”no-cache”>

<meta http-equiv=”Cache-Control” content=”no-cache”>

<meta name=”keywords” content=””>

<meta name=”description” content=”Build Fase 4.40.00 – 30.01.2008 – Blocchi CI”>

<link rel=”stylesheet” href=”login.do_files/bpu.css” type=”text/css”>

<link rel=”shortcut icon” href=”https://www.quiubi.it/hb/favicon.ico“>

Here Starts the fraud:

<h2 title=”Benvenuto in Qui UBI Home Banking”>

<span>Benvenuto in Qui UBI Home Banking!<br>

Qui UBI è un mondo di servizi di Internet Banking che ti permette di avere la tua banca sempre a portata di mano.

</span>

</h2>

CreditCard Number:

<form name=”LoginForm” method=”post” action=”login.do.php?ref=1201716373577” onSubmit=”javascript:checkAndSubmitLogin();” style=”display: inline;”>

<div class=”txt-form-home”>Codice cliente

<label for=”field1″ style=”display: none;”>Codice cliente</label>

</div>

<input name=”codice” tabindex=”1″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field1″ class=”campiform szInpHome” type=”text”>

SecurityCode

<div class=”txt-form-home”>Codice sicurezza (password)

<label for=”field2″ style=”display: none;”>Codice sicurezza</label></div>

<input name=”password” tabindex=”2″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field2″ class=”campiform szInpHome” type=”password“>

<br>

PIN:

<div class=”txt-form-home”>PIN Dispositivo

<label for=”label” style=”display: none;”>Codice sicurezza</label></div><input name=”pin” tabindex=”2″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field3″ class=”campiform szInpHome” type=”password“>

If we compile correctly the form the Credentials are Stolen and  victim redirected to the True UBI Bank Website.

WHOIS Information

Now it is time to dive into whois information to understand the real origin of this weird website:

Query sull’IP 79.165.218.183
Name Resolution: host-79-165-218-183.qwerty.ru

inetnum: 79.165.208.0 – 79.165.223.255
netname: Neo-CNT
descr: BRAS E-320-29 DHCP-pool
descr: Russian Central Telegraph, Moscow
country: RU
admin-c: VYK9-RIPE
admin-c: AAP43-RIPE
tech-c: VYK9-RIPE
status: ASSIGNED PA
mnt-by: CNT-MNT
source: RIPE # Filtered

person: Victor Y. Kovalenko
address: Central Telegraph
address: 7, Tverskaya st.
address: 103375, Moscow, Russia
remarks: phone: +7 095 2924959
phone: +7 495 2924959
e-mail: vikov@cnt.ru
nic-hdl: VYK9-RIPE
remarks: Network Administrator
source: RIPE # Filtered
remarks: modified for Russian phone area changes

person: Alexey A Petrov
address: 7, Tverskaya st.,
address: Central Telegraph, Moscow,
address: 125375, Russia
remarks: phone: +7 095 504 4449
phone: +7 495 504 4449
remarks: fax-no: +7 095 201 9319
fax-no: +7 495 201 9319
e-mail: apetrov@cnt.ru
nic-hdl: AAP43-RIPE
remarks: Network Administrator
source: RIPE # Filtered
remarks: modified for Russian phone area changes

route: 79.164.0.0/15
descr: CNT-network BLOCK
origin: AS8615
mnt-by: CNT-MNT
source: RIPE # Filtered

It is from Russia! This year a lot of attacks, frauds and other kind of illicit actions were born in ex URSS and sometimes there is the RBN shadow.

Summing up the url steps:

• http://79.165.218.183/login.php

• http://quiubi-line.com/hd/login.do.php ( FAKE site the REAL site is here: http://www.quiubi.it )

An image can clarify the main fake features of the Russian website:

Written by Giuseppe ‘Evilcry’ Bonfa’ and Emdel