Romania's first major phishing fraud was detected on the morning of 26 July 2005. Emails were sent from two sources; the first mail was detected at 07:25am and the second at 08:05am. The emails were designed to look like part of a fund-raising campaign initiated by the National Bank of Romania (BNR - Banca Nationala a Romaniei) to provide aid for the reconstruction of areas affected by severe flooding this summer (Figure 1). Clearly, the authors of the message were planning to take advantage of the compassion shown by the Romanian public after the devastating floods, in order to gain credit card details and other personal information for identity theft.
The fake messages were made to look as if they had been sent by the National Bank of Romania, from the address . The National Bank of Romania owns the domain www.bnr.ro (as well as www.bnro.ro ) [1].
The authors of this phishing attack requested a sum of money that would be considered insignificant, even for someone on a medium-to-low Romanian salary. Thus, the individual losses are relatively small, but the greater the number of victims, the greater the total amount. Of course, once the credit/debit card number has been obtained, there is nothing to prevent the perpetrators from taking as much money as they want (or as much as allowed by the limit set by the bank).
THE EMAILS
The same message (identical content) was sent from two different sources. The differences between them are as follows:
1. Subject
The first e-mail had the subject: "Initiativa Bancii Nationale a Romaniei (BNR) - colaborare", and was received at 07:25 am. The second email had the subject "Initiativa Bancii Nationale (BNR) - solicitare", and was received at 08:05 AM.
As can be easily observed even by non-Romanian speakers, the only difference is the last word of the subject. The first one translates to “collaboration” and the second to “solicitation”.
2. Method of distribution
The first email was sent to a distribution list hosted by bcentral.com, a site owned by Microsoft (http://www.microsoft.com/smallbusiness/online/email-marketing/list-builder/detail.mspx). The interesting thing about this list is that in order to create it, you need to register and pay with a credit card. When the Police investigate who created and paid for this list, they will probably find out that the card used for the payment was stolen.
The second email was sent to individual email addresses by some web-based generator.
DETAILED ANALYSIS
As mentioned, the emails come from the address , but if we look at the headers, the sender domain of the first one is listbuilder.com and the sender of the second is hostbigger.com .
Unfortunately, SpamAssasin does not detect anything strange about the mail:
The name of the domain RNB.RO was not chose randomly. It is an anagram of the Romanian National Bank's true domain.
The technique used here is not new. However, you don't often see a table put inside a link and then an identical link inside that table. The intention was to make the link's active area as long as the width of the page, even if the link was half of it. However, there is a mistake. The author forgot to close the inner link with a '</a>'. So the desired effect is not obtained. This feature (or bug?) is possible only in Mozilla-based html parsers. The same feature does not work, for example, in IE-based html parsers (with or without the closing '</a>').
The second indication that this is a phishing email is that the illegitimate domain's registration is incomplete. If we look at the legitimate BNR.RO domain by querying the whois information database, we see the following:
domain-name: bnr.ro
description: Banca Nationala a Romaniei
admin-contact: TP1003-ROTLD
technical-contact: TP1003-ROTLD
zone-contact: TP1003-ROTLD
nameserver: ns.bnr.ro 194.102.208.6
info: object maintained by ro.rnc local registry
info: Register your .ro domain names at www.rotld.ro
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
mnt-lower: ROTLD-MNT
updated: hostmaster-danacorb@rotld.ro 19981214
source: ROTLD
person: Tiberiu Parvulescu
address: Banca Nationala a Romaniei
address: Str. Lipscani nr 25, sector 3
address: Bucuresti
address: Romania
phone: +40-21-311 14 62
fax-no: +40-21-311 14 62
e-mail: tiberiup@nbr.ro
As you can see, this is a fully registered domain. All the identification data are present, and they are valid.
However, when you look at RNB.RO by querying the whois information database we see the following:
domain-name: rnb.ro
description: MobiFon S.A.
description: Piata Charles de Gaulle, nr.15
description: Sector 1
description: Bucharest, Romania
description: Phone: +40-21-302 4156
description: Fax: +40-21-302 1475
admin-contact: IOS1-ROTLD
technical-contact: IOS1-ROTLD
zone-contact: IOS1-ROTLD
nameserver: ns7.dr.myx.net
nameserver: dnsbck.dr.myx.net
info: Mugur Isopescu
info: Lipscani 25
info:
info: cod fiscal / cod numeric personal:
info: Registered via xnet
info: The NIC for Romania is http://www.rotld.ro/
notify: domain-admin@listserv.rnc.ro
object-maintained-by: ROTLD-MNT
updated: domain-admin@listserv.rnc.ro 20050722
source: ROTLD
application-date: 20050722
domain-status: active
registration-date: 20050722
expire-date: 20060722
You can see that some things are not quite right here. The identification information is present, but incomplete. The information about the owner is not only incomplete, but also fake:
info: Mugur Isopescu
info: Lipscani 25
The name of the owner seems to be some kind of joke. This is a combination of the name of the BNR Governor (Mugur Isarescu) and the name of a TV presenter (Emanuel Isopescu). The combination that results is a name that looks familiar to a lot of people: Mugur Isopescu. The address "Lipscani 25", even though incomplete, is the address of the BNR.
Apparently, the Romanian Internet authority (RNC) didn't even notice that something was wrong. However, to be fair, the RNC didn't register the domain directly; this was done by MobiFon. MobiFon owns MYX.NET, XNET and Connex, one of the biggest mobile phone networks in Romania (acquired recently by Vodafone).
The next reason for suspecting that this is a phishing email is the date of registration of the domain. The date of the creation of the domain was Friday 22 July 2005. It is well known in Romania that people browse the Internet more at the weekend than during the week. This is because in Romania many people use dialup connections and the telephone rates are cheaper during the weekend. Moreover, the registration of the domain took place just a couple of days before the attack began.
Finally, the target page gave a strong indication that this was part of a phishing scam. The website where the page was hosted was encoded with escape characters and the decoding, of course, took place only locally, in the browser, using some Java Script code. This way no web filter could detect anything strange like special keywords (Figure 2).
Figure 2. Encoded content
Even if the content was encrypted, the Java Script code was pretty well written. It validated the input fields such as: email, telephone, card information, name, etc. (Figure 3).
Figure 3. A lot of JS validation
By announcing an online fund raising campaign for the flood victims, the attackers were able to target exclusively card owners who might have wanted to donate money, setting as the only condition a minimum amount in the respective bank account: 0.50 Romanian Lei (0.14 Euros). They provided a link that led to a forged page, which looked like a www.bnr.ro website page, where the potential donors could input their personal details and credit/debit card numbers, as well as the donated amount, that supposedly would have been charged automatically from those accounts.
In order to make everything look exactly the same as the BNR webpages, the email used all links, except the target one, from the legitimate website (nothing special here, all phishing emails have the same structure).
Figure 4. First page of the site
Figure 4 shows the first page. Here, the victim is asked to provide their name, personal identification number taken from their identity card, the card issuer, the number of the card, expiry date of the card, the amount of money to be donated and the email address. There is nothing unusual here, except that debit cards are allowed as well as credit card. This is a special adaptation for Romania, where a lot of people have debit cards, but not many have credit cards. Of course, for the debit card you need more information, so let's go to the next page.
On the second page, the user is asked for their PIN.
Remember that nobody should know the PIN of your card except yourself.
Finally, the victim is thanked for their donation and is even given an ID of their transaction. We only hope that ID of our fake transaction (1572) was generated randomly, because if it relates to the number of transactions carried out, then more than 1,500 people will have a nasty surprise at the end of the month (apart from any who were playing with the website as we did).
THE EMAIL HEADERS
Here are other elements that prove that this mail is part of a phishing scam:
Return-Path: McCandle@mccandless.mozcal.org
This address exists and is hosted by hostbigger.com.
Return-Path: 55167-return-1-116905988@lb.bcentral.com
This address exists and is hosted by Microsoft.
The first email had the following text appended to the body:
'Powered by List Builder
Click <here> to change or remove your subscription'
" where <here> is a link that goes to lb.lbcentral.com .
Following the link takes us to the a page where we are asked :
'What would you like to do?
Your email address:
<email>
To unsubscribe from the mailing list, click the
Unsubscribe button.
If you wish to remain on the mailing list, but would
like to update your personal information
click the Change Preferences button.'
Clicking again on "Unsubscribe" we get:
'Your email address and preferences have been removed from the Banca Nationala a Romaniei mailing list as you requested.'
They have actually created a list with the name of the Romanian National Bank.
CONCLUSIONS
After noting these messages, AVIRA proceeded to put an end to the fraud [2]. The director of AVIRA Soft, Mihai Anghel, contacted MobiFon, the Internet provider that had registered the rnb.ro domain (the destination of the forged link).
Shortly after, through cooperation with MobiFon staff, the link was disabled and the respective domain suspended. He also announced the National Bank of Romania of the scam and they officially asked for a Police investigation.
Unfortunately, and probably following an automatic procedure, MobiFon put the domain up for sale the very next day. AVIRA recognized that the risk of the scam starting all over again was still pretty high and decided to rent the domain for a couple of months, until the waters calm down (check here: www.rnb.ro ).
Acknowledgements
Many thanks to all the people who helped me in stopping the fraud. People from the National Bank of Romania, MobiFon and, the most important of all, from the AVIRA Team. Without their quick actions, the fraud would have continued longer. Also, thanks again to the AVIRA team members and to Costin Raiu who gave me precious comments when writing this article.
References:
1. Romanian National Bank : http://www.bnro.ro/def_en.htm
2. AVIRA's press releases about this incident (in English):
http://www.avira.com/en/news/phishing_attack_in_romania.html and
http://www.avira.ro/en/pages/details_online_fraud_bnr.html
Sorin Mustaca
AVIRA GmbH
Copyright note: This article was written for and published in the September issue of Virus Bulletin Magazine (www.virusbtn.com ). It is reproduced here with the consent of the aforementioned publication.
Read other news from "Articles"
Print this page
