Mauritius Commercial Bank, @mcb.mu forged by cyber criminals

I learned about fighting email forgery through a wise friend and he's been an ardent proponent of DKIM and SPF. We tossed the topic previously, whenever Web & Email security were being discussed in events.

Today a fellow subscriber of the Mauritius Internet Users mailing list notified people about a phishing email he's been receiving since the past 5 days. The screenshot he sent was interesting as it showed the sender email address as being FYI@mcb.mu.

mcb-phishing-again

Screenshot sent by Tushal S

In previous MCB email phishing attacks, cyber criminals didn't use the domain @mcb.mu.

Let's have a look at the email header and find where does the email originate from?

Authentication-Results: hotmail.com; spf=none (sender IP is 209.165.xxx.xxx) smtp.mailfrom=FYI@mcb.mu; dkim=none header.d=mcb.mu; x-hmca=none header.id=FYI@mcb.mu X-SID-PRA: FYI@mcb.mu

I've cut out the IP address on purpose, as usual.

The Mauritius Commercial Bank email servers have no SPF and DKIM implementation, thus there is no way for the Domain Name System to identify if the email originates from the right email server. Any server connected to the Internet can be used to spoof the address mcb.mu and send emails.

The IP address as it appears in the email header, can be traced back to the United States.

mcb-phishing-ip-trace

This IP address does not belong to MCB email servers.

The email content source indicates that elements like the MCB logo was directly pulled from the official website.

When I checked on which page the "Activate your mcb account here" links, the same was presented as unsafe by Google Chrome. Most probably people have reported the domain name already.

Mauritius Commercial Bank email easily forged

The cyber criminals employed "improved" techniques in their attack this time. The attack also triggers the extent of the email systems being vulnerable. To test the same, I set up a mail server on my end and sent myself a fake email mimicking the MCB. My email was delivered to the Inbox. A fake MCB email delivered to the Inbox is serious!

mcb-phishing-test

A fake email I sent myself

When triggering mass scale attacks, cyber criminals make a lot of mistakes. However, if the technique is exploited well, maximum damage can be done. I will not go into detail why my fake email was delivered to the Inbox as it's not the subject of the discussion.

The main highlight is that the Mauritius Commercial Bank needs to implement proper mechanisms to fight email forgery and not just petty spams. A proper security mechanism will prevent such emails (i.e using @mcb.mu) from circulating & targeting MCB customers.


Share this post