Nov 142018
 

There has been an increase in the number of e-mails and text messages that are landing in my spam folders recently. I am not sure why the upturn is happening, but some of the e-mails are getting very convincing.

It was not long ago that I would get badly spelled, poorly constructed e-mails that were easy to spot,

Subject: Yuor Natwast account has ten tnarsactions pending.

Now, not only do I not have a Natwest account, but the typo’s in the subject line made it super obvious.

Yesterday I got an e-mail.

Subject: Lloyds Bank Fraud Alert.

Which looked legit to me at first glance.

Sender: FraudAlert@lloyds.co.uk

Not bad – but a quick check (by hovering over the senders name) showed that the domain was not lloyds – that was the sender name, the actual account sending the e-mail was something like

Fraud.Alert@lloyds.bank.user332798712379821.net

Additionally it was sent to an e-mail address that I do not use for banking. The e-mail address was one of the e-mail addresses that was part of a previous attach on Talk Talk – where many thousands of e-mail and hashed passwords were obtained, along with partial credit card details.

The body of the e-mail looked perfect, it looked just like a Lloyds e-mail.

It was addressed to me too, although it was First and Last names, not Mr. M R  – so that gave things away slightly. But it was subtle, it had my name on it, which upgrades from a phishing attack to a spear phishing attack

What was even more interesting was that the ‘click to sign in’ looked like it would took me to https://signin.lIoydsfraudaIerts.com.user332798712379821.net/(my email address) – again hover over the link and you see the full thing.

Which again, at a glance looked super legitimate the extra junk in the domain would probably only be visible when viewed in most browsers it was very impressive.

Out of interest, I fired up a VM and visited the site.

HTTPS was valid – chrome reported the site as secure – someone had bought a certificate for this.

The sign-in page was very nicely done, this was very impressive. Most of the links took me back to the same page though….

Then the actual login piece was very clever indeed.

  • It wanted my user-name : I entered zzzzhhhhhzzzz which is not my user-name.
  • It wanted my password : I entered password1 – again, not my password
  • It wanted character 3,4,6 of my secret code : I entered a,a,a which is not mine.
  • It told me that my secret information was incorrect, and asked for 1,2,5 : I entered a,a,a
  • It told me that it needed to send me a secret key and suggested I enter my phone number

I bailed at this point. I deleted the VM, just in case and sat thought about this.

After this, I got an email that contained a PDF that was a fake ‘Lloyds Satisfaction Survey’ – which had I opened it on a windows machine would have installed a worm…..

This was super good, it was a Spear-Phishing attempt. It was tailored to me. I should be honoured.

But look at what it could have collected.

  • My Bank Login
  • My Password
  • Six of the characters in my secret data
  • My phone number

Holy shit – that is brilliant.

It looked very official, it took me to a secure site, it was setup to trap useful information that would give people access to my bank account. The satisfaction survey PDF was a lovely touch too.

This is one of the best attempts I have ever seen, I am sure that the average person would have given away some or all of their information.

Let’s recap.

My e-mail address was harvested along with partial credit card details in the Talk-Talk breach. This gave an attacker my First and Last names, a valid e-mail address and potentially the bank I used based on the partial credit card data.

Knowing that I bank at Lloyds (great customer service BTW) and armed with decent spelling and grammar, customised e-mails were easy to generate, and custom landing pages to harvest the information too.

The PDF satisfaction survey was brilliant, the worm, had I been on Windows, looked like it would have run riot all over my network unless I was absolutely up-to-date on my update, virus protection and using an admin (not user) account.

Very, very nicely done.

 Posted by at 8:00 am

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)