A brief analysis of a Postbank Germany Phishing

We received a large amount of Phishing emails targeting the Postbank customers in Germany. Well, perhaps targeting is too much said, maybe annoying is better. Just have a look at the way the email is presented.

Because the email was sent in large amounts, I decided to follow the link to see if it was still online. And it was, despite the fact of being addressed via a dynamic DNS name which are, usually, very volatile. The computer seems to be located in Canada.

The faked Postbank page located on that computer was flawless. A perfect copy of the Postbank online banking page. After entering some junk into the fields and clicking the button to login, I noticed that there is a flickering of the page – and the web browser  got redirected to the official page of Postbank.

This looks like a classical trick, but it was very, very fast. So, I decided to dig deeper into this. In the source code the following code can be seen:

<form name=”loginForm” method=”post” action=”index/main.php”>
<script type=”text/javascript”>

There is something saved and then the browser is redirected. While trying to fetch the php script, I saw the following (the name of the address is replaced with x and the IP address with a.b.c.d):

wget http://x.static.privatedns.com/~smile/banking.postbank.de/index/main.php
–09:24:53– http://x.static.privatedns.com/~smile/banking.postbank.de/index/main.php
=> `main.php’
Resolving x.static.privatedns.com… a.b.c.d
Connecting to x.static.privatedns.com| a.b.c.d |:80… connected.
HTTP request sent, awaiting response… 302 Moved Temporarily
Location: https://banking.postbank.de/app/login.do [following]
https://banking.postbank.de/app/login.do: Unsupported scheme.

As suspected, there is a forced redirect taking place. On this occasion I noticed something interesting in the way Firefox with activated Google Safe Browsing is working: Firefox completely deactivates the JavaScript interpreter for that page if the page is reported as Web Forgery and the user wants to browse it anyways despite the warning. Nicely done Mozilla developers! This way also the curious users are protected.

As usual, Avira users are on the safe side: The emails are marked as phishing and the URL is blocked by Avira products.

Sorin Mustaca
Data Security Expert