Attackers Use a Bag of Tricks to Target Greek Banking Customers

Recently, the Cofense™ Phishing Defense Center has observed a phishing campaign targeting Greek-speaking users and customers of Alpha Bank. Alpha Bank is the fourth-largest Greek bank. We observed threat actors using multiple tactics to gain login credentials which include user names, passwords, and secret questions. This information would allow threat actors to access unsuspecting victims’ accounts draining funds and perhaps reusing those credentials on other websites.

Fig 1. Email header of phishing page spoofing Alpha Bank

Taking a closer look at the email header, we can determine that the threat actor has manipulated the “From” field to make it appear the phish originated from the email address “ecommerce[@]alpha[.]com”, but we can see from the message ID that it came from the domain “wp-mail[.]webstarterz[.]com”.

Fig 2. Greek-language phishing page spoofing the Alpha Bank brand

At first glance, the email body looks ordinary. The Greek message body translates to:

“Dear customer,

We have noticed that your password has been unchanged for a longer period of time.

We kindly advise you to change your password for your own security.

Follow the link below to change your password:

hxxps://www[.]alpha[.]gr/e-banking/gr/upostirixi-asfaleia/

Copyright © 2018 Alpha Bank. All rights reserved.”

Fig 3. Phishing email’s message body in plain text

The hyperlinked URL appears to be a legitimate link for the Alpha Bank website. However, if we view the email body in plain text without HTML styling, we can observe that the hyperlink “hxxps://www[.]alpha[.]gr/e-banking/gr/upostirixi-asfaleia/” redirects the user to a proxy page “hxxps://begumyamanlar[.]com/wtuds/wtuds/” before redirecting the victim to the main phishing page, “hxxp://actio[.]website/alpha/fd7b51e25dde940c306f448a5c04f509/login[.]php?”

Fig 4. Main phishing webpage spoofing Alpha Bank

This main phishing page requests the user to authenticate with a username, password, and a security code. Once this information has been entered,  the victim is asked for an additional security code three times. One can assume this is to ensure that the information entered is correct.

Fig 5. Phishing page asking for security code

Once the code has been entered we are redirected back to a website used by Alpha Bank to handle mobile payments called “My Alpha Wallet” (Fig 5.).

Fig 6. Redirected to official Alpha Bank page

Conclusion:

Credentials phishing attacks are on the rise and this particular example blends multiple tricks enticing the user into submitting personal information. First, the attacker spoofs the “From” line suggesting the email originates from a trusted source. Second, the attacker baits the victim with a sense of urgency and risk by informing the victim that the account password is at risk. Third, the attacker makes use of deceptive URLs which at first glance would appear to point to the legitimate banking website. If unsuspecting victims falls for these tricks, they would be directed to a realistic-looking clone of their bank’s website and prompted to enter their credentials. The attacker even requests the user to authenticate multiple times to verify the information submitted is correct. Lastly, in an attempt to cover their tracks, the victim’s browser is redirected to the legitimate banking website.

Always check links before clicking on them and always verify that you are on an official website before you enter your credentials.

IOCs

Malicious URLs:

hxxps://begumyamanlar[.]com/wtuds/wtuds/

hxxp://actio[.]website/alpha/6beafdf1ad1a8b2f674deed03762798f/login[.]php?

Malicious Domains:

Webstarterz[.]com

Begumyamanlar[.]com

actio[.]website

Malicious IPs:

162[.]241[.]189[.]75

98[.]129[.]229[.]246 

Malicious SMTP server:

wp-mail[.]webstarterz[.]com (10[.]1[.]31[.]40)

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Zeus Panda Advanced Banking Trojan Gets Creative to Scam Affluent Victims in Italy
Cofense Phishing Awareness: The Innovations Continue

Leave a Reply