Monday, September 23, 2013

Go phishing

Online lottery & phishing scams are on the rise in India. The phone revolution has led a growing number of users to utilize the internet for critical services like internet banking. However armed with inadequate knowledge of the internet people often end up being victims of online scams.

I recently received an interesting email spoofed from customer.care@icicibank.com. Surprisingly this got through gmail spam filters and reached my primary inbox:

Subject:  ICICI ALERT: Your Account is Temporarily Locked
Attn: Valued & Esteemed Customer,

Your ICICI Online Internet Banking Account has generated an error code (ICICI_ERROR-317FR) in our new secured and innovated database because it is not configured with our latest protection scheme (The ICICI 3D SECURED SYSTEM)
ICICI Bank has made second (The ICICI 3D SECURED SYSTEM) Authentication mandatory from 1st September, 2013
To Enroll into Our newly introduced security feature,The (3D SECURED SYSTEM) which works by placing a triple security on your account. Please Login and complete your enrollment process which is mandatory for all users. We look forward to giving our customers the best of our services not comparable to other banks.
The ICICI 3D Secured System is an innovated data migration process in which manual verification of login details is compulsory to activate you for the latest online banking security. To proceed, please follow the steps below:

SECURITY ACTIVATION STEPS:
1. Open The Attachment In This Mail Which Contains A Security Verification Page.
2. Carefully Confirm Your details and Get secured Instantly .
3. After Successful Verification, You Will Be Redirected To Our Disclaimer Page.
4. In two weeks from your receipt of this mail, You Will Receive A Manual Containing A Pin And How To Activate It.

Note
Corporate Customers with Two or More USERS (The Enterer and APPROVER) are required to Fill this Form again with their APPROVER Details

Please Note your Error Code as it wil be needed when our customer care contacts you

Instruction on how to open the  file
After Successful Download of the attached file, right click on the file and view with your Browser
The form needs to be opened in a modern browser which has javascript enabled ( Internet Explorer 7, Firefox 3, Safari 3, Opera 9)

If you are using Internet Explorer please allow ActiveX for scripts to perform all data
transfers securely.

All fields are important and must be filled correctly for secure submission

Thank you for your cooperation.

Sincerely,

ICICI Bank Ltd.

Online Banking Security Unit
The email had 2 attachments: Personal USER.html & Corporate USER.html:
Corporate USER.html

Personal USER.html
Both files use javascript to hide & encrypt the source code:

On submit your information is sent to cleverly named domain: http://infinity.icicibank.co.in.bankaway.action.retuser.init.001-y8appsignonbankid-ici8apptype-corporate9abrdprf-n.carlosbreeze.com.internetbanking.com.acess.com.user.agent.notarypublicwilltravel.com/verify/icicix.php.
Cleverly named because the starting part of the address is similar to what ICICI Bank uses on its internet banking website.
Inspect element in Chrome
Someone (Abhilash :P in the source code above) seems to have put a lot of effort in coding this. I informed ICICI about this email. I hope no one falls prey to this new scam.

No comments: