Tuesday, March 14, 2017

Deconstructing the average ScotiaBank phishing scam

I've been documenting the digital train wreck at ScotiaBank for quite some time now.  Today, I want to cover something different, though it's still to do with phishing and ScotiaBank.  But, instead of pointing out how bad the bank security is to allow phishing in the first place (they've known for a year now to switch on X-Frame Options, for instance and still haven't done it), I'm going to share how another angle works.

I'm going to talk about "Scotty".

If you're unacquainted with Scotty, here is the mobile version in action.

(Click for bigger)

Scotty is the common ScotiaBank phishing scam kit.  It's what drives nearly every targeted attack on ScotiaBank customers.  

Written in PHP, by the group l33bo_phishers it is intelligent enough to try and display a mobile form or full desktop form, as well as protecting itself with session checking, blacklisting IP addresses, not running in old browsers, and it logs a lot of information about the victims including their IP addresses.  Intriguingly, it also encrypts stored information with AES (Rijndael 128 to 256 bit - which the attacker can configure), so that any information the attacker gathers is somewhat protected until they can resell the victim information.

Scotty is primarily broken down as follows:
  • A login page - to gather card number and password.
  • A page which will gather the users name, social insurance details, date of birth, etc.
  • A page that gathers the user's secret question answers (shown in the image above).
  • A page that takes all this data and runs it against a list of swear words (to remove entries where the victim clearly knows it's a scam) and only posts the data if it looks legitimate.

The entire thing is configurable, so you can set whether you want logging of sent messages, what key to use to encrypt your data, enabling one-time access (so if the same IP address comes back, they're redirected to Google), and so on.

When a victim has been successfully scammed, if the attacker has switched it on, an email is sent out using this template...

PHP Template

So how do these kits get used?

This next bit will likely be out of date within hours
 of posting this, for obvious reasons.

As you can guess, it's a bit predictable in that attackers know they only have a short window of opportunity before a bank tries to take down any of their sites.  Talking specifically about ScotiaBank, there's an element of things working in the attacker's favour because there's a delay at the bank caused by how things like this are handled.  The attackers are afforded the time to set things up and often openly cooperate between themselves and once everything is setup, they turn on the SMS's that ask victims to visit their site and enter victim information.  

Naturally, this means an organization like ScotiaBank has ample warning that a scam is coming, but because they're reactive and not proactive, the attackers can take advantage of the delay the bank introduces.  In this blog post, I'll take advantage of the same delay, to show you what happens. 

So, let's jump into viewing a scam that's on everyone else's radar but not on the bank radar. As a refresher, there's two major teams (I call them "Team Asia" and "Team Europe") that target ScotiaBank and a bunch of disparate attackers whose hallmarks I can't tie to any particular team.  Here, we'll jump into what Team Asia is up to....  

The current signals say there's two sites coming.
  • http://scotiabank-helps.com
  • http://wwwinterac-refund.com/INTERAC/sco
That second one is part of a bigger multi-bank scam attempt that targets everyone except CIBC and BMO, which I'll come back to some other time, once they've registered the domain and I've had time to let the CCIRC know. 

We can see the first site (scotiabank-helps.com) is already up and running in France as that was registered three days ago.  This is the same team that had scotiabank-mobile.com running last week.  In fact, everything is so textbook, they even used the same registrar to register the domain, the same hosting to host the site, etc.  

I had to wait for this one to be populated to be 100% sure that the Scotty kit is used, but "surprise!" it's running the Scotty kit.  They even posted the kit url for the rest of the team at surplusloot.com/scotty so that it can be redeployed for the next site.

Right now, there's a clear 3 day lead that this attack is coming, and we can see that despite that 3 day lead, the bank hasn't reacted yet as the domain is still live.  It's likely to go live in the coming hours.

First Update:
Three hours after posting this article, I have proof the SMS campaign is now operational and this scam is underway.

Proof the scam is operational.

This means that in the coming hours or day, the SMS's will start.  Usually, you are able to pick this up on Twitter as many people clue-in that its a scam and post about it, giving you an idea of overall times live (which in ScotiaBank is normally between 7 to 14 days).

Once you understand the simple processes and the very long timelines involved in a standard ScotiaBank phishing scam and understand that you can often see these scams coming a mile off, it's difficult not to question why banks such as ScotiaBank never changed how they do digital security.  

Second update - About 16hrs after posting this article, the bank got round to addressing this particular scam.  The CCIRC has acknowledged receipt that they're digesting the info I sent (way more than is posted here).  

I've been watching this process for a while now as part of my documenting the repeating failures within the bank, and it's basically a textbook procedure every time.  Given the predictability of both attacker and bank, I can't help but scratch my head in disbelief that this is still going on.