Maybank2u Phishing 

Maybank2u Phishing

A friend of mine sent me the following URL on 13 July 2009 12PM: http://rrcs-24-227-204-130.sw.biz.rr.com/i/.

 

Screenshot of the site, looks exactly like the real maybank2u.com website, but is a damm evil phishing site.

 

A whois to the domain shows the server is hosted in US, somewhere out of Malaysia law enforcement and legitimation. This information is not very helpful, as the server might itself a victim of the criminal too. Criminal normally do not setup phishing site on server registered under their name. They prefer to hack into 3rd party server and inject their code/system there.

 

A curiousity on the parent directory of the domain leaded (auto redirection) me to a xampp welcome screen at http://rrcs-24-227-204-130.sw.biz.rr.com/xampp/

 

Further, I found several default application comes with xampp was exposed and unprotected, namely the phpmyadmin and the webalizer. Scanning thru the phymyadmin doesn't shows me any database where the criminal store the victim's account information.

 

Surprisingly, it's the webalizer statistic which reveal the location of the flat file storage at http://rrcs-24-227-204-130.sw.biz.rr.com/i/database.txt in a format of collected username, collected password and IP address.

 

Scanning thru the list, many entries shows that they are awared of this pishing site but few provided a seems-like-real account information.

Now I wonder how the criminal beable to transfer money to his own account. He will need TAC code to do it but the code is sending over to end user mobile phone. Unless he is able to intercept it over the wireless sky...

Google answered my question. Security site at http://security.org.my/index.php?/archives/Maybank2U-Phishing-Steals-Your-TAC.html has an article about how it can be done.

This page asks for your TAC number. The way this works is pretty straightforward. You key in your username and password, and the phisher either programatically or manually logs in to the real Maybank2U website and perform a fund transfer and requests for a TAC.
All they need is to wait for you to enter the TAC into the fake website.

 

Interesting! That also means there is another file on the phishing site yet to recover, a file which store user entered TAC data. Base on the account database file path and naming information, I guess it should be logically name as TAC.txt. Bingo! The file exists: http://rrcs-24-227-204-130.sw.biz.rr.com/i/tac.txt in a format of collected TAC number and IP address. All the criminal need to do is to match the IP to link the TAC number with collected Maybank2u accounts.

Scanning thru the list again shows many users are aware of this site is a phishing site. Many of them fool around with it by providing fake TAC number such as 123456.

In conclusion, the motive of this criminal looks weird to me. With such simple and yet poorly secured system, he is also exposing phishing data he collected to public. From my log above, you can see that I done no hacking effort to obtains the informations. As the situation remain unclear, I choose not to publish this blog as it might create unnecessary trouble to me.

However, I am not the only one who aware of this. The statistic and database itself shows many others have acquired the information as I do.

 

Update: a revisit to the site at 11.30pm.

It triggered my firefox browser to show a phishing site alert. Nice feature which effectively protected the mass Internet user. Thus, I changed my mind to publish this article for educational purposes.