We received a large amount of Phishing emails targeting the Postbank customers in Germany. Well, perhaps targeting is too much said, maybe annoying is better. Just have a look at the way the email is presented.
Because the email was sent in large amounts, I decided to follow the link to see if it was still online. And it was, despite the fact of being addressed via a dynamic DNS name which are, usually, very volatile. The computer seems to be located in Canada.
The faked Postbank page located on that computer was flawless. A perfect copy of the Postbank online banking page. After entering some junk into the fields and clicking the button to login, I noticed that there is a flickering of the page – and the web browser got redirected to the official page of Postbank.
This looks like a classical trick, but it was very, very fast. So, I decided to dig deeper into this. In the source code the following code can be seen:
<form name=”loginForm” method=”post” action=”index/main.php”>
There is something saved and then the browser is redirected. While trying to fetch the php script, I saw the following (the name of the address is replaced with x and the IP address with a.b.c.d):
Resolving x.static.privatedns.com… a.b.c.d
Connecting to x.static.privatedns.com| a.b.c.d |:80… connected.
HTTP request sent, awaiting response… 302 Moved Temporarily
Location: https://banking.postbank.de/app/login.do [following]
https://banking.postbank.de/app/login.do: Unsupported scheme.
As usual, Avira users are on the safe side: The emails are marked as phishing and the URL is blocked by Avira products.
Data Security Expert