Recently we received an email from the RBI (Reserve Bank of India), or so it claims to be, regarding a ‘One Time Password’ registration.  This ended up in the spam folder. Let us see why.

Here is the email in question:

• The source of this email (highlighted green) is ‘rbi.org.in’ which is not suspicious but is probably spoofed.
• It informs us to ignore any warning (highlighted red) that the email client might give us. This is suspicious.
• The attachment (highlighted cyan) has a double extension. This is clearly suspicious.

There is even a tail-piece of advice to ‘Beware of Phishing’ to make the user feel good about the message. After all, no thief warns you about impending thievery, right? Wrong!

Once you download and open the attachment you are directed to the following page:

This looks like a normal RBI page. But a closer look at the address reveals for a fact that this not an RBI page. It is a login page but it is not secure, and there is no ‘https’ authentication. This is a cleverly constructed page. Only the ‘Login ID’ and the ‘Password’ fields are custom made. The rest is ‘borrowed’ from the actual RBI site, therefore clicking on any of the menu items would still take you to the valid RBI page.

Let us check what is inside the attachment:

This URL has quite a number of sub-domains (grayed out for security reasons), none of which is even remotely related to the RBI. This is highly suspicious. Double-clicking on the attachment would take you to the page shown above which masquerades as a  bona fide RBI site.

Let us start filling in the form with some fake details:

Once you fill in the details and click next you will be taken to the following page wherein you’ll be asked to fill in your transaction password and mobile number:

Once you click submit it throws a message that the registration is successful. But there was no actual password registration done during the entire exercise. The mail states an additional password is to be created, which was never done here. Whenever a new password is created any valid system would ask you to confirm your password, which was not the case here. Hence this is a clear attempt to phish out confidential details.

The network captures of the above exercises show the password and user names being sent over the Internet as plain text messages:

Never would your bank send your banking credentials as plain text. They are always sent over a secure connection in an encrypted format.

At the time of writing the attack domain was still live. To avoid being a victim of such social engineering attacks, the solution to a large extent still rests with the user, even though URL filtering and phishing heuristics do thwart many of these attempts at phishing. Please read through one of the earlier entries to find out how to recognize and stay away from phishing scams – ‘Teach a Man to Anti-Phish’

Kaarthik R.M
K7 TCL

Malware authors have long realized that implementing scare tactics to rip people off their money works. Why waste time finding a new vulnerability to spread malware when you can scare people into downloading and running it? For a while now, fake anti-virus malware has been one of the top revenue generators for the malware authors.

Lately however, users have turned vigilant towards such fraudulent security tools and simply ignore the spurious warnings. The malware authors, who have realized this, have upped their game by changing the scareware reports to involve hard drive failures rather than virus infections.

Over the last month, K7TCL noticed a steady rise in the number of samples arriving with the name “pusk.exe” from various sources. Closer analysis of one sample revealed that this was a fake disk diagnostic tool. On installation the malware displays the following message:

The malware then goes on to display fake disk diagnosis messages:

It’s no surprise that when the users click on the “Fix Errors” dialogue box, they see the message below:

These samples are detected generically as “Trojan (0026b5241)”.

Lokesh Kumar
K7TCL

Miscreants are always geared up to start a new wave of spam and malware campaign. When a sensational event occurs, users tend to go searching for news on the event, making it easy for the criminals  to do what they do best.

Case in point, last week saw the Internet abuzz with news regarding Osama Bin Laden’s death.  Some research into the user’s search behavior from Google trends revealed that the maximum number of searches were for the keyword “Osama” and the maximum number of searches arrived from the United States.

The second to top the list was India, with Tamil Nadu leading the way, closely followed by Karnataka.

The bad guys tried to capitalize on this news by poisoning search results, spreading malware & spam. They setup fake videos, facebook wall posts, websites, all claiming to reveal “exclusive” information on the death of Al-Qaeda’s top man, thus enabling them to invite potential victims to their trap.

Out of approximately 1,00,000 videos uploaded to date on You-tube with the keyword “Osama”, around 23,000 were uploaded just in the past week.

Also, there were around 1,300 websites registered, in the first 3 days since the news emerged, relating to Osama’s death.

Out of these newly registered websites, the maximum number of registrations was made with the registrar “1 & 1 Internet AG”, followed by namecheap.com.

Queries in domain reputations sites like www.malwareurl.com indicate that both registrars had hosted sites that have spread exploits & spam before.

Lokesh Kumar
K7 TCL

Top level domains (TLD) refer to the suffix attached to domain names on the Internet. A site ending with .com, for example, is meant for websites used for commercial purposes. Similarly, country code top level domains (CCTLD) are meant to denote the country from which a website originates. A site ending with “.in”, for example, is meant for websites from India.

However, lenient CCTLD registration rules have meant that this is not always the case. Sites using CCTLD for purposes other than to denote their origin country have been garnering popularity for a while now. For example, “.fm” is a CCTLD assigned for the federal states of Micronesia. “.fm” which also is an acronym for “frequency modulation”, and is commonly used by radio websites which don’t originate from Micronesia. Similarly “.in” which refers to the CCTLD for India, could also mean “Internet” or “international”. When it comes to registering websites using the CCTLD, the cloud is the limit. Websites like “icome.in/peace”, “rest.in/peace”, for example, don’t just read well but are also easy for potential customers to remember. Apart from this, CCTLD from India are relatively cheaper to register than registering CCTLD from other countries.

While such use of CCTLD has its advantages, it also comes with its share of disadvantages. The number of CCTLD used by malware authors & spammers to lure victims to their sites is steadily on the rise. A simple query for malicious sites which use a CCTLD of “.in” from malwareurl.com resulted in a significant number of hits, as shown below:

Although none of the sites above are active anymore, a closer look reveals that they all originate from the same IP address and spread the same malware.

Users ought to be aware of such sites which pretend to come from one country, when in fact they don’t. Simple networking tools like whois will provide more information on the origin of the website. Also, the INRegistry tightening its registration rules should help significantly reduce the amount of spam and malware that originate from this CCTLD.

Lokesh Kumar
K7TCL

K7 Computing founder Jayaraman Kesavardhanan talks about how the setting up of secure passwords is still not quite as straight forward as it perhaps should be. (more…)

Notes on Cool Rahul

Malware File Name: RAHUL’SVIRUSPROTECTION.VBE (more…)