Gone fishing … Sorry, Phishing: Ocean Bank

I think phishers feel the economic crisis, too. At least that’s what the increasing number of phishing messages I get tells. In a few weeks the number has been doubled.

Today I got an extremely blatant one, from Ocean Bank, at least that’s what the “From” header says. The headers were forged almost to the last dot, but the phishers weren’t smart enough to forge the IPs too.

The message body contained the following:

Attention Ocean Bank consumers!
This update is for customers who use Ocean Business and/or Personal online banking in North America.
Update your system through this official site if your account has been created before October 22, 2008.
There is no guarantee of proper operation with NOT UPDATED consumer systems.

Read more>>

Sincerely, Santos Kessler.
2008 Ocean Bank, Florida.

If I followed the link, I was taken to a page as shown on the picture on the left, a perfect copy of Ocean Bank’s layout.

[click to enlarge]

The layout was refreshed within 30 seconds and tried to force a download. The download was an executable named Oceanmultissl.exe which as almost all the badwares affects only Windows based systems and, I have to admit it’s a quite interesting badware: after first run it installs itself as a windows service; if I tried to stop the service it shut down the whole PC. While was running as a service and the firewall was off, every minute randomly opened TCP ports and in the first, exactly 2 hours was listening for incoming connections on the opened ports. Then it gave up the listening and grabbed all the contacts from the 3 mail clients installed on the PC and attempted to send the above message to all of the contacts and on a previously opened TCP port it attempted to send the contacts as a DAT file to a remote server. Then it closed the TCP ports and entered in a deep silence. Weird.

The messages were coming from the following IP blocks:

• 78.36.144.0 – 78.36.159.255, Russia, ISP: AVANGARD-DSL
• From the 200.0.0.0 – 200.255.255.255 block, LACNIC. Lacnic disabled automated query answers, no more information about the brazilian IPs, must be a spam heaven
• 94.50.0.0 – 94.51.255.255, Russia, block directly managed by RIPE
• 190.21/16 [CIDR], which is managed by Terra Networks Chile S.A.

Ocean bank is the 12th largest bank in Florida with almost $5 billion of assets. With hundreds of thousands of customers phishers apparently found quite a fertile ground.

Remember that currently the only way to decrease the number of phishing messages is to increase our online awareness:

• When you open a message, don’t click any link
• Always check who the messages are coming from
• Always remember that banks or other financial institutes don’t ask you to install software provided on domains other then their main one, and never ask for your details using email
• If you’re in doubt, call your private banker, that’s why they were invented for