Phishing Scams

Consumer-oriented phishing emails appear in corporate environments, after the malicious messages make it past perimeter defences. The genuine-looking emails aim to harvest an unsuspecting victim’s email, password, mobile numbers, and the “memorable information” used in two-factor authentication. Find out more about phishing and phishing emails.

Introduction

TSB provide local banking for Britain to help local people, businesses and communities to thrive together. Their core values guide them in all that they do and how they do it. They are: straightforward, collaborative, transparent, responsible, pioneering.

Phishing attacks are omni-present on all our devices these days. Whether they purport to be from HMRC, TV Licencing, or a myriad of respected institutions, they are convincing and potentially dangerous. Most recently, The Police Digital Security Centre was made aware of a wave of phishing attacks targeting TSB banking customers. US company Cofense has already produced the following analysis.

phishing greyThese consumer-oriented phishing emails appear in corporate environments, after the malicious messages made it past perimeter defences. The genuine-looking emails aimed to harvest an unsuspecting victim’s email, password, mobile numbers, and the “memorable information” used in two-factor authentication. If someone were to take the phishing hook, they would be open to follow-up phone scams or the complete takeover of their bank account and credit cards.

Most UK banks implement two-factor authentication. They require users to set a standard password and a piece of memorable information, which users authenticate with their user name and password. Users are then asked to provide three random characters from their memorable information. This does two things to help improve the security of your bank account:

  1. It can help to mitigate against man in the middle attacks, as any intercepted data would only reveal partial fragments of the memorable information.
  2. If a user’s email address and password combination has been leaked online, it provides an extra barrier for attackers attempting to access their accounts.

Again, if successful this phish could help the attacker evade these extra controls. Here’s how it works:

Email Body:

The attacks begins with an email purporting to be from the TSB customer care team, informing the customer that a new “SSL server” has been implemented to prevent access to customer accounts by third parties. It then asks the user to update their account information by clicking on the hyperlink just above the signature line.

fig 1 phishing email

Headers:

To add authenticity to the attack, the threat actors have spoofed the sending information to make the email appear to come from the sender customercare[@]tsb[.]co[.]uk. If we correlate this with the message ID, we can see that it actually originated from the ttrvidros[.]com[.]br a Brazilian registered domain.

fig 2 email header

Phishing Page:

fig 3 phishing page 1

The malicious page shown below on fig3 is almost identical to TSB online banking portal. The first page is directed to ask for a User ID and password.

The victim is then asked to supply characters from their memorable information. This is typically a word that is memorable to the user and six characters or longer, usually a pet’s name, mother’s maiden name, or a favorite city or sports team. It is standard practice to only provide three characters of your memorable information. However, this is just a clever ruse to gain the confidence of the victim.

fig 4 phishing page 2

The user is then redirected to a fake error page that states, “There is a problem with some of the information you have submitted. Please amend the fields below and resubmit this form.” Afterward, the form asks the victim for the full memorable information and the mobile phone number. Armed with the victim’s user-ID, password, memorable information, and phone number an attacker can easily gain access to the victim’s bank account and credit cards through the online portal—or perhaps more worryingly, they can utilise this information to launch a social engineering campaign over the phone, commonly referred to as vishing (Voice Phishing).

fig 5 phishing page 3

Gateway Evasion:

This threat was found in an environment running Microsoft Exchange Online Protection (EOP) which provides built-in malware and spam filtering capabilities it is intended to screen inbound and outbound messages from malicious software spam transferred through email.

Staying Safe:

As always, the way to stay safe is straightforward. Be suspicious of any email from any financial institution that appears “blanket” and doesn’t address you by name. Hover over and investigate the sender’s email address - it’s not always what it says. And don’t click on any link unless and until you are absolutely certain of its validity. If you have any doubts at all, phone the alleged sender via a trusted number (on the back of your credit/debit card) and check it out.