Phishing is commonly understood as a fake e-mail that tries to lure users into entering their passwords, PIN codes or other personal information in a fake website. Both the e-mail and the website present themselves as some well-known brand, such as eBay, PayPal or a bank. It’s an easy attack to perform, since it only requires a website that looks similar to the real one.
In Brazil, however, attacks like this are rare. And the heavy use of the word “phishing” to describe the attacks we have here ended up distorting the term. Phishing, in Brazil, is applied to any social-engineering attack used in e-mail messages, even when no fake websites are involved and no data is stolen… at first.
I don’t need a calculator or a database to help me remember how many actual phishing attacks I have seen targeting Brazilian banks. Three. All targeted government-owned banks: two targeted Banco do Brasil, and the other, which had the HTML forms inside the e-mail message itself, was aimed at Caixa Economica Federal (”CEF”) clients. There could’ve been much more, but all other phishing attacks I’ve seen only try to grab Orkut passwords (which are later used to send spam or messages spreading trojans).
However, we have lots of fake messages that try to lure users into installing trojan horses with the same goal of stealing the user’s bank account information. I’ve seen over 300 such messages in the last two months (that is about 5 new messages per day, but they aren’t unique, only the links they point to) trying to trick users into clicking a link that will get them one of these trojans, that is, a Banker/Bancos malware piece. The messages were sent through e-mail, Orkut or MSN Messenger.
Because the criminals don’t need to convince the users they’re from a bank — as the trojan horse has the task of stealing data once the users logs into the bank’s website –, the messages have all kinds of themes. Greeting cards, secret lover confessions, debt warnings, police investigation and porn are some common subjects. This is what we call phishing (wrongly, in my view).
Currently, the most popular message is one targeted at Orkut users1 which says that child porn was found in their profile and that they have to “click here” to send an explanation. Needless to say, it’s all fake. Similar messages claim to be from the Federal Police. A recent attack got international coverage as it used the airplane crash that killed more than 200 people in a Brazilian airport.
There’s one message that claims to be from a bank, pretending to be a software update. Like all others, it also also makes the user install a trojan horse. However, unlike the others, the trojan doesn’t stay active in memory. Instead, it searches the user’s hard drive for the access certificates to the bank’s internet banking site. If one is found, it asks the user for the password for the certificate. If none are found, the trojan simply quits2.
Examples
Click the pictures to enlarge.
Greeting card
A greeting card e-mail message. Says that someone sent you the card. There’s also a note indicating that the message has been scanned by an anti-virus software.
Order Received
This message pretends to be from a popular online store. It informs that the user that he/she acquired a cellphone and asks the user to click the link to obtain more information.
You Haven’t Paid Your Bills
This one tells the user that he/she didn’t pay the cellphone bill (the message cites high values) and threatens to put the user’s name in a credit protection service if he doesn’t “click the link” to get more information and pay the bill.
Someone Loves You
This message says there’s a virtual card from “someone who loves you” awaiting. This message is more visual, but some have many romantic messages and poems in them, followed by link said to have “pictures” of the person who sent the message.
Explain Yourself
This is an Orkut scam. It says that the user has been accessing “prohibited” communities. If the user doesn’t “click here” to explain himself, his account will be deleted and all his data will be handed over to the Federal Police.
The troubling thing is that I sometimes get help requests from people who want to know what they did wrong and how to make sure that their account doesn’t get deleted. They really get worried — and that’s why they fall for it.