betabug... Sascha Welter

home english | home deutsch | Site Map | Sascha | Kontakt | Pro | Weblog | Wiki

07 February 2007

Phishing National Bank of Greece Customers

A glimpse into the pit

This morning at work I was greeted by a phishing mail (nothing rare) but in Greek - a first for me. The phishers are attempting to get people click on links labelled "homebank.nbg.gr", apparently the homebanking site of the National Bank of Greece - which will then take them to a site with a korean domain. In the mail message is the usual spiel about "you need to renew your login data". The message itself is quite "real" looking, with only a few "phishy" details...


First of all looking through the headers (which no normal National Bank of Greece customer would do): The message was sent through an IP address in Germany (likely a trojaned home PC, Received: from T78cb.t.pppool.de (t78cb.t.pppool.de [89.55.120.203])), and carried a header "X-Antivirus: skaner antywirusowy poczty Wirtualnej Polski S. A." which is kind of interesting. Maybe whoever made that phishing mail is residing in poland and didn't notice his antivirus software adding that line. The name in the "from:"-header is also very un-banklike: `From: "Adventure H. Jeanie" ', I don't think anyone working at a Greek bank would be called "Adventure". They didn't get the encoding of the subject header quite right either.

National Bank of Greece phishing mail message

The logo of the bank resides on the phishers servers, so it wasn't loaded at first in Mail.app (which is not set up to autoload remote images for me). Appart of that it looks genuine enough. I certainly didn't spot any glaring errors at first - something the phishing mails in German or English never seem to get right. There are some smallish mistakes in there though. Are only people with spelling problems attracted to a phishing "career", or do they think a few spelling mistakes will make their mails more believable?

The National Bank of Greece (Εθνική Τράπεζα της Ελλάδος) certainly has a bit of experience with phishers. Going straight to http://homebank.nbg.gr/ I was greeted with a lot of security instructions. Following those to the letter certainly would have saved any of the banks customers from being phished. Though I can't help being not so hot about the possibility that every one of their customers follows the rules for once...

Posted by betabug at 09:46 | Comments (4) | Trackbacks (0)
ch athens
Life in Athens (Greece) for a foreigner from the other side of the mountains. And with an interest in digital life and the feeling of change in a big city. Multilingual English - German - Greek.
Main blog page
Recent Entries
Best of
Some of the most sought after posts, judging from access logs and search engine queries.

Apple & Macintosh:
Security & Privacy:
Misc technical:
Athens for tourists and visitors:
Life in general:
<< MacMade - το e-zine του HelMUG | Main | Restored Pictures on Weblog >>
Comments
Re: Phishing National Bank of Greece Customers

The header "X-Antivirus: skaner antywirusowy poczty Wirtualnej Polski S. A." is in Polish, meaning "X-Antivirus: antivirus scanner mail of Wirtualna Polska S.A.", Wirtualna Polska is a Polish web portal.

Posted by: Reuven at February 07,2007 11:43
Re: Phishing National Bank of Greece Customers

Interesting. Reuven, do you think they are using a webmail account to post that message? Wouldn't that be unlikely, given that the message was sent through a german IP? Could it be that Wirtualna Polska is selling or giving away antivirus software, and the phishers using that on their own PCs?

Posted by: betabug at February 07,2007 12:05
Re: Phishing National Bank of Greece Customers

Wirtualna Polska have free email accounts, and subscribers can send/receive emails via smtp & pop3.
Wirtualna Polska provide antivirus services for their customers.
I don't think any phisher would bother to use a web only email account to send his emails.

The most likely explanation IMHO is that a PC owned by Pole living in Germany is being used as a bot in a phishing operation.

Posted by: reuven at February 07,2007 12:22
Re: Phishing National Bank of Greece Customers

Hi all,
there are also many expression mistakes that a Greek as me would distinguish.
First: They start with "Τραπεζικές συναλλαγές" without using the article. It is actually not wrong, it could be used in an intimate conversation, but in the formality of such an announcement it does make sense, it seems clumsy written.
Second: there are no expressions as "λόγω τεχνικής εξυπηρέτησης" (= due to technical support?!), it 's completely wrong! It could be something like "λόγω συντήρησης του εξοπλισμού" (=due to hardware maintenance) or something similar.
And finally, 6 to 8 of February (and not partially and on a weekend day) is an almost absurd period (2 whole days!) to shut down all the production systems of the biggest bank of the country.

Posted by: Libero at February 14,2007 12:16
Trackbacks
You can trackback to: http://betabug.ch/blogs/ch-athens/542/tbping
There are no trackbacks.
Leave a comment