While checking my spambox today I noticed a phishing email I received two days ago. Thought of analyzing the stuff, so here we go.


The above is what reached my spam folder. There are enough elements for the email to be tagged as “spam”, however if the attacker was a bit lucky with the server he/she used, it could have landed in my Inbox.

The “customer” is prompted to click on the link http://www.abcbanking.mu to read a message. Upon clicking that, the person would have seen the following page which looks identical to the “login” page of the ABC Banking Corporation.


Notice the URL does not point to abcbanking.mu.

Going through the code of the page I noticed that actual images, JavaScript and CSS elements are loaded from the bank’s URL.

<title>ABC Internet Banking</title>
<link rel="stylesheet" type="text/css" href="https://ebanking.abcbanking.mu/B001/css/abccustom/layout_ib_login.css">
<link rel="stylesheet" type="text/css" href="https://ebanking.abcbanking.mu/B001/css/abccustom/main_layout.css">
<link HREF="https://ebanking.abcbanking.mu/B001/css/cmn/default.css" TYPE="text/css" REL="STYLESHEET">
   <script language="JavaScript" type="text/JavaScript" src="https://ebanking.abcbanking.mu/B001/jsdir/virtualkeyboard.js"></script>
	<script language="JavaScript" type="text/JavaScript" src='https://ebanking.abcbanking.mu/B001/jsdir/security.js'></script>
	<script language="JavaScript" src="https://ebanking.abcbanking.mu/B001/jsdir/common.js"></script>
	<script language="JavaScript">

Oh dear! You’re a bank. Please prevent your assets from being hotlinked.

Well, what happens when someone enters login credentials in the form? According to the below code, it’s processed using internet.php which is then surely sent to the attacker.

</pre> By the way, the bank's ebanking page is served through JSP and not PHP, that's another catch. The attacker hosted the login page at alifeascending.com which appears to be a movie/documentary's promo page, running on WordPress. Damn, it got compromised and the attacker was able to host his/her pages there. That webpage is hosted in the United States of America while the email was sent from Iran (as per the sender's IP address). abc-banking-phishing-attack-source Lastly, the attacker actually sent the email using the address ebanking@abcbanking.mu in the From: field but this trick got thwarted thanks to a Sender Verification that's enabled in the Exim mail config.
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - linux1.centraldnserver.com X-AntiAbuse: Original Domain - hacklog.in X-AntiAbuse: Originator/Caller UID/GID - [1677 1688] / [47 12] X-AntiAbuse: Sender Address Domain - linux1.centraldnserver.com X-Get-Message-Sender-Via: linux1.centraldnserver.com: authenticated_id: greendelta/only user confirmed/virtual account not confirmed X-From-Rewrite: rewritten was: [ebanking@abcbanking.mu], actual sender is not the same system user
Above is from the email header showing that the message was sent as ebanking@abcbanking.mu while using the account greendelta on the server linux1.centraldnserver.com. Not to confuse, this isn't a security feature on the bank's side but rather on the mail server that was used to launch the phishing attack.
At the time of writing this article I have alerted ABC Banking Corporation, CERT-MU and a press person at alifeascending.com.