요즘 보이스 피싱 뉴스가 자주 나오는데 더불어 피싱 사이트로 유도하는 경우가 많죠.
사회공학적 툴도 나오고 정말 정신 바짝차려야 겠습니다.;;
아래는 외국에서 일반인을 대상으로 Rabobank와 ING의 피싱 공격을 예로 설명하고 있습니다.
더보기 Increase in Dutch banking phishing
The last few months there was an increase in a phishing campaign targeted on customers from Rabobank and ING, two major banks in The Netherlands and Belgium. Some examples of a phishing mail:
Phishing email for ING with the subject “Account Verificatie” (or in English: “Account Verification”)
Phishing email for Rabobank with the subject “Customer Services Update”.
If you speak the Dutch language, you notice the content of the emails are actually more different than most phishing mails. In fact there’s a bigger variety, and in the first version there is almost no grammatical or spelling error. The second email - for Rabobank- however, is clearly a Google Translate copy/paste job.
All emails seem to be originating from valid email addresses, domains are pointing to @rabobank.nl and @ing.nl , which are in fact legitimate addresses from the two banks.
However, if we check the message headers we can see IP’s originating from Nigeria:
This means the email-addresses are spoofed to trick users into believing the email is valid.
Now, what happens if you click on the link included in the message? You will be redirected to any of these pages:
Phishing website for ING. The user needs to login with his/her username and password. You can also opt to login with the ‘calculator’. The calculator is in fact a card reader which you can use to login.
Phishing website for Rabobank. You can login using your account number, access code, and PIN code. You can also use your card reader.
The intention of these emails is of course to steal user credentials and empty the account of the duped user. These attacks are pretty well orchestrated. If you click on any of the links on the phishing page, it will redirect you to the real ING website which provides extra information on the topic you clicked on.
The following tips do not only apply to the above story, but apply to any other (suspicious) email you receive:
Do not click on any of the links (or anything for that matter) in the email you have received.
Do not reply to the email.
Delete the email immediately, certainly if you are not a customer of the aforementioned bank or did not order anything, changed your password, and so on.
If you really need to access or check your bank account, visit the website directly by typing the address in your browser’s address bar. Also verify the URL starts with https instead of http.
Another useful trick is to hover over the link in the email. In the bottom left corner you should be able to see the real address behind the URL displayed.
spyeye-analysis-en.pdf
