Re: ABC Banking Corporation phishing attack (Fwd: Messages & Alerts: 1 new message) from Ish Sookun on 2015-02-28 (Mauritius Internet Users mailing list)

From: Ish Sookun <ish_at_hacklog.in>
Date: Sun, 1 Mar 2015 11:10:51 +0400

Hello SM,

On Sun, Mar 1, 2015 at 10:10 AM, S Moonesamy <sm+mu_at_elandsys.com> wrote:
>
>
> Why is "hotlinking" a problem?
>

Hotlinking isn't a problem as such but a practice that should be
discouraged for banks unless they want some elements (marketing stuffs) to
be loaded directly; then bank could put those under a different sub-domain.

Hotlinking bank logo as well as other elements makes it easier for phishing
attackers to use those and create fake pages. Those fake pages could as
well be created by downloading the images & hosted on the same server as
the fake page. Nevertheless, hotlinking makes this step one level easier.

Though might sound insignificant in this age but loading resources from the
banks server would put the bandwidth load on the bank itself. Does the bank
have to cater for phishing attacker needs :-) I don't think so.

>
> How is the phishing attack you wrote about different from the one at
> https://twitter.com/ssyluchmun/status/569866706732093440
>
>
In the case of the MCB phishing attempt, the "From:" field showed the
email source as _at_mcb.mu while the one concerning ABC Banking did not.
Although the attacker did put a _at_abcbanking.mu address in the "From:"
field, the same was replaced by the real source thanks to a "sender
verification" mechanism that was enabled in the mail server.

In my original post, I mentioned this feature is enabled on the mail server
from where the attack was launched. I can't say if there is such a
mechanism on ABC Banking mail

servers.

I received a reply from ABC Banking Corporation notifying me that they
have alerted CERT-MU & the latter released a general alert to their
constituency[1]. The said constituency includes "home users" but I don't
know of any such "alert" being released. Since, I am not in the CERT-MU ML,
I can't say if an alert was sent out. I subscribed to CERT-MU ML last night
after having asked them to update subscription information on their page[2]
a few days ago.

[1] http://cert-mu.govmu.org/English/About_CERT-MU/Pages/Constituency.aspx
[2] http://cert-mu.govmu.org/English/Pages/Mailing-List.aspx

Regards,

Ish Sookun

*- Geek by birth, Linux by choice.*
* +-+-+-+-+-+-+-+-+-+-+*
* |H|A|C|K|L|O|G|.|i|n|*
* +-+-+-+-+-+-+-+-+-+-+ *

*https://twitter.com/IshSookun <https://twitter.com/IshSookun> ^^ Do you
tweet?*
Received on Sun Mar 01 2015 - 07:11:11 PST

This archive was generated by hypermail 2.3.0 : Sun Mar 01 2015 - 07:18:02 PST