Recently my best friend received a call from his bank (Unicredit), telling him that his account was temporary blocked because of the risk of suspicious activities on it. He asked more informations about it, and they asked him if he, recently, put his credentials in a website similar to the official one. He replied that he didn’t do that, also with the official one; last time he used the online-banking it was many months ago. Result, they unblocked his account and he can use his money again.
2 minutes later he called me to tell me this story. I was lying on the couch checking my email, and my spam. While he was speaking one email catches my eyes;
It looks like Unicredit is facing a massive phishing attack and they are blocking the accounts also without fraudulent evidences.
Interesting. Let’s analyze it a bit.
The clone kit used by the attackers is very similar to the others. The attack i not even sophisticated because it’s using just a form and an image like background. Below the structure.
The HTML files 1,2,3 are just redirect to the files cc.html, inside.html and inside2.html. Let’s analyze the php files.
1.png is the background of the login page
They look very simple. The PHP skills required in this case are very low.
Just a simple redirect that generates a random string including random.php. See below
This file is tracking all the victims saving their location. The results are saved into visit.txt file. Till now the amount of visitor is about 3175, most of them from Italy.
Going deeper through the other files, we can see that all the informations inserted by the victims in the phishing website are stored inside a txt file named pinco1.txt and sent by email to the attacker.
The obfuscated content of these files is reported at the end of this article.
The other PHP files are quite similar to each other :
The only difference it’s the redirect. They ask the victims to insert three times the OTP (One Time Password) in order to have the last one valid for 30-60 seconds and make transfers.
Result of the campaign till now:
- 3175 VISITORS
- MANY user,password, CC, CVV, OTP stolen
Below a snapshot of the two files mentioned before: