Case Analysis: Phishing for Possible credit card fraud
Several customers of a major bank in Chile were recently advised via email that a possible fraud with their credit cards had been detected.
Orand conducted a brief analysis of this case:
The e-mail reports a possible fraud and says that in order to cancel the offending operation the user must click on a link.
The subject matter of the message reads: “Possible purchase fraud using your credit card” and the body of the message can be seen here:
This is the html code of the email:
*{
margin: 0;
padding: 0;
}
html, body{
width: 100%;
height: 100%;
background: #E2EAF5;
}
body{
font: normal normal .95em/120% Verdana, Arial, Helvetica, sans-serif;
z-index: -2;
}
table{
border-collapse: collapse;
empty-cells: show;
border-spacing: 0px;
}
td{
padding:0;
}
/*-------- Header --------*/
#header{
position: relative;
display: block;
width: 100%;
height: 4.5em;
background: url(http://www.bancochile.cl/images/tefTerceros/bch/backHeadComp.jpg) repeat-x top left;
}
#header h1{
position: absolute;
margin: .5em 0 0 1em;
padding: .1em 0 .3em 185px;
font: bold 1.6em/120% arial;
color: #FFF;
background: url(http://www.bancochile.cl/images/tefTerceros/bch/logoBancChileComp.jpg) no-repeat 0 0;
}
#header h1 span{
display: none;
}
/*-------- Cont --------*/
#main{
display: block;
padding: .5em 2em;
background: #FFF;
}
#cont{
clear: both;
width: 60%;
min-width: 600px;
padding-bottom: 2em;
}
#cont .text h2{
margin: .5em 0 .4em 0;
font: bold 1.4em/100% arial;
color: #6689CC;
}
#cont .text p{
margin: .2em 0 .6em 0;
font: normal .8em/130% verdana;
}
h2.tituForm{
clear: both;
float: left;
width: auto;
margin: .8em 0 0 -1px;
padding: .6em .8em;
font: bold .85em/120% arial;
color: #006;
background: #C6D5EC;
}
table{
width: 100%;
clear: both;
border: 1px solid #C6D5EC;
}
table tr{
border: 0;
}
table tr th{
padding: .3em .5em .4em .8em;
font: bold .95em/105% arial;
text-align: left;
color: #006;
background-color: #E2EAF5;
border: 1px solid #C6D5EC;
}
table tr td{
width: 50%;
padding: .6em .2em;
font: normal .7em/120% verdana;
color: #333;
border: none;
vertical-align: top;
}
table .right{
text-align: right;
margin: 0;
float: none;
}
img.sello{
margin: .3em;
float: right;
}
/*--------- -----------*/
#footer{
clear: both;
margin-top: 1em;
padding: .5em 2em;
background: #E2EAF5;
}
#footer address{
float: left;
width: 75%;
height: 5em;
padding: .5em 0 0 1.2em;
font: normal .65em/120% verdana;
letter-spacing: -.02em;
text-align: left;
border-left: 1px solid #E8EAE9;
color: #757D8A;
}
.left{
float: left;
}
.right{
float: right;
margin: .5em 0 0 .8em;
}
.colo{
background: #F5F5F5;
}
.cent{
text-align: center;
}
img.oculto{
display: none;
}
.cf:after{
content: ".";
display: block;
height: 0;
clear: both;
visibility: hidden;
}
/* Hides from IE-mac */
* html .cf{height: 1%;}
/* End hide from IE-mac */
Comprobante de seguridad
Estimado(a) Le informamos que se detecto por nuestro sistema de seguridad un posible fraude
con su tarjeta de credito banco de chile, en el caso de aceptar que esto es un fraude y cancelar esta compra hacer click AQUI
Compra realizada
Datos de compra
Fecha:
29/03/2012
Tienda:
Claro Chile S.A
Producto:
Recarga online por $125.000
Monto:
$125.000
Número de Comprobante:
0000000062345998
Infórmese sobre la garantÃa estatal de los depósitos en su banco o en SBIF
© 2007, Banco de Chile. Todos los Derechos Reservados.The “HERE” link leads to a site hosted in Chile:http://200.54.186.251/reportesdemercado/bancochile.php
The Who Is information for IP 200.54.186.251, shows the following:
This link is automatically redirecting to the original bank site.
Conclusions
Although this is a classic case of phishing, it has two interesting things.
First of all, the e-mail was sent to actual bank customers, which means the attacker somehow managed to gain access to the email addresses of online banking customers.
In the second place, the web page resides on a company server, and was most likely uploaded with some PHP web server vulnerability.
