A few weeks ago, I had the opportunity to write a blog about a very nice experience I had – during a presentation in Copenhagen – where hacker tried to fake an identity and tried to force me via communicator to install a malware on my machine.

I wrote this blog because it is a very nice example of attack, and I think that it is always good to “teach” internet users. As a matter of fact, “teaching” people is the only way to block these attacks with a long term vision, since they always use the same tricks, but just change constantly their approach.

Today I had another one that we call “fishing”, and because the system was not reported yet in the fishing databases, I decided to do an analysis, and would like to share with you that story.

Step 1 : The mail

I received yesterday this mail. Sorry for the French (the attack is good (or by luck) since I am French). It says pretty much that “Visa” detected a problem with my credit card, and that I need to answer a few questions otherwise they will block it.

They use here an approach where they want to make me afraid in order to mentally force me to do what they want me to do.

phi1

When you are a bit trained on these techniques, you can see quickly that it is a fake (but when you are not, or really afraid you don’t even see it). There are also some other clues to see that it is fake :

·         “Spaces” between “Carte bancaire” (payment card) and “est suspendue” (is blocked)

·         Uppercase characters and also spaces in “suspendue<space>, Car” (because)

A financial institution would never let this happen!!!

 

Step 2 : The attack

As you can see they ask me to “click” a link. If you put your mouse on the link (but don’t click), Internet Explorer will show you this one :

http://www.partesdepc.com/tienda/images/dbjje/www.VerifiedByVisa.com/VerifiedByVisa/rifiged2-6rc_t3Dj26ei3D_V4N0S8P1Bsu34gb9h_WmCg26sa3DX/authentication.php

I don’t advise you to do it because you are not IT specialists, but in my case I decided to continue and click the link (running at the same time a protocol analyzer to see what is going on in the wire).

Look at this wonderful “visa” web page. It is a true one, because it is written “Visa” on it !! Of course not. As you can see again, there are some mistakes: spaces, missing spaces (“seraprotégé”, in French it is “sera protégé” (will be protected)).. etc.

But let’s “test” this page. If it is really visa web site, and if I enter weird information of course I will get an error, especially with a wrong card number. So I decided to do this:

·         My name is Arnold Swarzenegger

·         I am leaving on “Pumping Iron road” in venice CA

·         And my mother name is lou Ferigno

·         My card is weird, and my cryptogram number totally invented :

phi2

Guess what, I click, it works! This is just not possible if this is a real page!... proving that it is fake.

The trick is that now, they redirected on the official Visa web site. So I can browse around, get some information, and I have the feeling that I am safe.

For the IT pros, in fact when I click “valider” (validate), this generate this request:

phi3

 

As you can see I have an HTTP “POST” request, sending all my “data”. The Thief is here !

Step 3 : How to investigate the attack

Frequently, Phishing web sites use an IP Address rather than a real name (here they use http://www.partesdepc.com). The reason for this is that if you want an “internet name” you have to buy it, and also need to give some personal information (contact, tel number). For a hacker, it is too slow, too complicated. So if you see a link with something like http://w.x.y.y (where w.x.y.z are numbers, in fact the IPV4 address of the hacker machine) this is for sure a phishing site.

In this example, this is a real “domain name”. But who is owning this name ? Where is located this web site ?

On the internet, when you buy a name, you go through a company that is authorized to sell and register your name. Because we need to provide information (company name, tel contact) during this process, asking this “registar” who own this name may give us a clue.

So step 1, let’s find the IP Address of this web site. On your PC, just open a “command prompt”, and type PING www.partesdepc.com. This will force your machine to do a DNS request (transform the name into an IP Address, and get in return the IP of that machine.

 

C:\Users\fesnouf>ping www.partesdepc.com

Pinging partesdepc.com [66.7.214.212] with 32 bytes of data:

Now we have the IP. Where is located this machine?  We just need to use a “whois” web site (supposed to  show  you the owner of this name based on an IP address), type the IP Address, and in return the registar shows us who is the owner of this IP (not yet the owner of the web site).

In this case the company is in USA (extract of the answer):


OrgName: HostDime.com, Inc.
OrgId: DIMEN-6
Address: 189 South Orange Avenue
Address: Suite 1500S
City: Orlando
StateProv: FL
PostalCode: 32801
Country: US

So we know now who the company is that own this IP, but not yet the “web site”. Part of the answer we get, we also get the email to use in case we detect a fraud. This is mandatory when you register a domain name. So we know now who is Hosting this web site.

But who is the owner of the web site itself ? This Orlando based company seems to be hosting this web site, but don’t own the content. Let’s try to connect the web site, not with the long URL we received by email, but just with the site name: http://www.partesdepc.com.

phi4

That is very strange? A “hacking” web site selling goods? In fact when you seek in the web site (in Spanish) you can see that this is a respectable company in Montevideo. My “feeling” is that they have been hacked, and that the hackers use their “legal web site”, to steal data and reroute it somewhere. This is because they probably took “control” of the server, and added some “bad” code in it. Unfortunately I did not have the chance to look at the “bad” code so I have no idea what happen behind the web site, when information is hacked by user answering these questions.

Step 4 : How to react as an IT specialist

Of course when you detect such attack you need to do all your best to report it.

First, I advise to go in Internet Explorer, SmartScreenFilter, Report Unsafe Website. The only tiny problem is that you need to “click” the link to be able to use this option.

What I did as an IT Pro, is that I just sent a mail to:

·         The company that hosts the web site

·         The company that owns the web site

A few seconds after, the company that host the web site just replied saying that they were investigating, and a few minutes after, they shut down part of the web site that was in fact “stealing” the information. Hosting companies have always a good and reliable procedure when “hacking” is in the discussion.

Step 5 : How to react as an “user”, not an IT specialist

What I want to emphasize here is how you can quickly detect that it is potentially an attack:

·         Fact : Visa is sending me an email asking me something

o   Question: Usually you have relationships with your bank, not visa directly!!

·         Fact : Visa is asking me to provide confidential information (card number, cryptogram number)

o   Question: Why ? what is that www.partesdepc.com and not visa ?

·         Fact : There are “text” mistakes (upper characters, spaces, …)

o   Question: would a serious company would let these mistakes?

Keep in mind that the technic used to steal your data are always the same, they fake a message, fake an identity.. and if you believe them, you are dead. Be suspicious, observe, and ask yourself if there is logic.