Identity thieves leave dump server open for the entire world to see

Apr 3, 2009 08:01 GMT  ·  By

A recent phishing scam gone bad exposes stolen online banking login credentials. Researchers from anti-virus vendor Sophos have discovered that the dump server used by the cyber-criminals behind the operation lacks even the most basic protection mechanisms.

Analysts from the SophosLabs branch in Sydney have come across a phishing campaign targeting customers of the Australia and New Zealand Banking Group (ANZ). The e-mails claim to be an SSL update notification sent by the bank.

The FROM field is spoofed as to appear that the message originates from legit-looking e-mail addresses, such as [email protected]. "Your Internet Banking account(s) needs to be updated into our new SSL. By doing this, out Internet Banking server will add more securities to your account(s). This will also foreclose your account(s) from Internet Banking Theft," the notification reads.

A URL allegedly pointing to the Internet Banking login page is provided, with the mention that, "Your account(s) will be updated after you have signed in." The link points to a server in the UK, from where it redirects to one hosted in Italy. During the redirection, hexadecimal forms of the IP addresses are used in an attempt to not arouse suspicion.

The authentication page displayed is a replica of the legit one from the ANZ website, but the information sent through the form is stored in a local plain-text file. After the credentials are submitted, the victim is redirected to a legit error page on the ANZ website claiming that the login process has failed.

"This is a clever choice of destination: the victim will probably believe they simply mistyped their password and type their credentials again to access the real site, with little skepticism that their details were skimmed off along the way," Matthew Asquith, security researcher at Sophos, notes.

The abnormal part of this scheme is that the cybercrooks behind it have failed to secure the access to the webserver directory, thus making the database.txt file available for virtually anyone to read. After analyzing the files, the researchers have concluded that, fortunately, only around five individuals have actually fallen for the trick. The bank has been notified and has already locked and reset the passwords on the compromised accounts.

Graham Cluley, senior technology consultant at Sophos, points out that many of the people who realized they were dealing with a scam decided to send messages to the phishers. "Indeed, many of the 'usernames' are actually suggestions for err.. activities which the cybercriminals might wish to undertake, destinations for journeys they might wish to make, or fates which might befall them," the researcher says. "All very amusing – but I would advise against playing 'phishing roulette' by knowingly visiting phishing websites to see what happens," he warns.

However, while this kind of mishaps on behalf of the cybercrooks might make the job of investigators easier, it can have serious consequences for the users. We have recently reported how the details of around 22,000 stolen credit cards, many of which were still active, got exposed to the entire Internet, after Google cached a cybecriminal dump server in Vietnam left unsecured.