Earlier this month, we witnessed a phishing attack on bank customers in Malaysia which combines some common social engineering techniques (scare tactics) with some newer technical misdirection techniques (URL shortening), and decided to provide a detailed blow-by-blow for you below on how this particular phishing campaign works.
The CIMB Clicks site, which is the online banking portal for CIMB bank, offers customers online banking, insurance, and share trading services. Customers can also pay bills, inquire about account balances, and conduct various other financial transactions.
Common Scamming Tactics Used
The CIMB Clicks phishing scam employs two increasingly common techniques to entice the victim into participation. First, the language in the attached documents attempts to ‘scare’ the customer into thinking that access to their CIMB accounts has been restricted. Second, the scam obfuscates the fake phishing link by converting it into a shortend URL using a URL-shortening web service.
Cyren detects these phishing documents as: “XML/Phish.H “ for the fake MSWORD CIMB Document and “PDF/Phish.EVZ “ for fake PDF CIMB Document.
Cyren Analysis—CIMB Clicks Phishing Scam
The following images show what the fraudulent MSWord and PDF documents look like when opened by the recipient.
Figure 1: Fake MSWORD CIMB Document
Figure 2: Fake PDF CIMB Document
HTTP Redirection Using URL Shortening Web Service
Clicking the highlighted URL link leads to the following HTTP redirection (Figure 3 below). You will notice that the URL link appears as a shortened URL via “bit.ly”. Increasingly, we are noticing that criminals are obfuscating their malicious links using URL-shortening web services, such as bitly.com and tinyurl.com. By using the shortened URL, the criminal is able to prevent the victim from hovering over the link to see that the URL destination is not actually the one intended.
Figure 3: HTTPLog Redirection
A Neverending Loop
Following is the process once the victim arrives on the Fake CIMB Clicks site (Figure 3). Notably, during the last phase, there is an infinite loop while capturing the email address.
Figure 4: Infinite loop in the fake CIMB Clicks credentials capturing process
The phishing domains lead to these IP addresses 188.8.131.52 which belongs to OVH Hosting and 184.108.40.206 which belongs to "Mochahost.com” as seen in the images below.
Figure 5: WHOIS IP of Phishing Domains
In addition to implementing strong email gateway security which can prevent phishing emails from reaching users in the first place, and is also capable of further blocking access to phishing links as a second layer of protection, as always Cyren encourages anyone to “think before you click.” If you suspect fraud, type the address of your financial institution directly into your web browser.
If you don’t have strong email gateway security, we also recommend blocking the IP addresses 220.127.116.11 and 18.104.22.168.