Sunday, September 2, 2007

Pharming and One Time Passwords (OTP)

Sadly, the pharming is increasing in Mexico, with local "look & feel" and targeting online banks, mainly Banamex.

Banamex (Citigroup in Mexico) is one of the largest banks in Mexico, so it is natural for phishers to target the users of this bank. But it isn't just related to the number of users but to the fact that Banamex uses NETKEY token to give online access. So, you may wonder why criminals are targeting Banamex if two-factor authentication is used?

The reason is, NETKEY is a "sequence-based token", this means a new pseudo-random number will be given to the user each time he/she pushes a key on the token, but won't expire after some time (like time-based tokens do).

Criminals will fool the user into thinking that he/she has reached the bank website, then the phisher will steal the login, the password and the OTP and show the user a message like "we're under maintenance, please come back in a few hours"; finally the phisher will get access to the online bank and steal the money (as long as the user doesn't log in to the genuine website before the e-robbery takes place).

The problem here is the OTP doesn't expire (I've tried with my NETKEY and I could log in two hours after reading the OTP at NETKEY's display), so the phisher has more time to steal the money. Other banks use time-based tokens so the phisher would need to log in with the stolen credentials within sixty seconds or less. Banamex should adopt the time-based solution, in the meantime its users are in risk.

Now, for the attack-vector part, the message says "a finnish kid was condemned because of a youtube video", and at the end of the text it prompts the user to download the supposed video.


The file is a .rar that contains an executable file that modifies the hosts file and it also opens a browser window with a video from youtube (in fact the video is in spanish).
The md5 of this file is: b845cbb13117a9776852bc86a802b51a

3 comments:

Eduardo said...

Today I was able to log in with a two-days old OTP to my Banamex account.

Anonymous said...

Today my father's account was wiped out, a modified host file redirects banamex.com page to 64.51.15.31,today that page shows a fedora core test page.

:(

What can we do about this !"#!"#s

Eduardo said...

You can contact the mexican "cyber police" and the CONDUSEF if you're in Mexico; they can help you to find out a solution and to prosecute the crime. But be aware that it can be a long process and in many cases the bank DOESN'T WANT to help at all.

Mexican cyberpolice (01-800-440-3690 within Mexico; 52-4104-20 ext. 1151 if you are in Mexico city); Condusef (53400-0999/01800-999-8080)