MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

4.12.2011

Increase in Dutch banking phishing

The last few months there was an increase in a phishing campaign targeted on customers from Rabobank and ING, two major banks in The Netherlands and Belgium. Some examples of a phishing mail:

Phishing email for ING with the subject “Account Verificatie” (or in English: “Account Verification”)


Phishing email for Rabobank with the subject “Customer Services Update”.

If you speak the Dutch language, you notice the content of the emails are actually more different than most phishing mails. In fact there’s a bigger variety, and in the first version there is almost no grammatical or spelling error. The second email - for Rabobank- however, is clearly a Google Translate copy/paste job.

All emails seem to be originating from valid email addresses, domains are pointing to @rabobank.nl and @ing.nl , which are in fact legitimate addresses from the two banks.
However, if we check the message headers we can see IP’s originating from Nigeria:

41.155.32.70IPVoid results
82.128.38.67IPVoid results

Another IP address is originating from New Zealand and is actually blacklisted on several blacklists, as can be confirmed when checking with IPVoid:

203.97.33.68IPVoid results

This means the email-addresses are spoofed to trick users into believing the email is valid.
Now, what happens if you click on the link included in the message?  You will be redirected to any of these pages:

Phishing website for ING. The user needs to login with his/her username and password. You can also opt to login with the ‘calculator’. The calculator is in fact a card reader which you can use to login.


Phishing website for Rabobank.  You can login using your account number, access code, and PIN code. You can also use your card reader.

The intention of these emails is of course to steal user credentials and empty the account of the duped user. These attacks are pretty well orchestrated. If you click on any of the links on the phishing page, it will redirect you to the real ING website which provides extra information on the topic you clicked on.

The following tips do not only apply to the above story, but apply to any other (suspicious) email you receive:
  • Do not click on any of the links (or anything for that matter) in the email you have received.
  • Do not reply to the email.
  • Delete the email immediately, certainly if you are not a customer of the aforementioned bank or did not order anything, changed your password, and so on.
  • If you really need to access or check your bank account, visit the website directly by typing the address in your browser’s address bar. Also verify the URL starts with https instead of http.
  • Another useful trick is to hover over the link in the email. In the bottom left corner you should be able to see the real address behind the URL displayed.
  • When in doubt, you can double-check using URL scanning services such as VirusTotal or URLVoid by our partner NoVirusThanks.

MalwareIntelligence Team

Ver más