We forge letters from the largest Russian banks
Once I was browsing email and came across spam from BinBank. This was especially strange, since I was not offered banking services, but something at the level of "70,000 rubles a day." It seems that spammers have started sending letters on behalf of different companies (probably to bypass some filters). If you are interested in reading about the falsification of letters from the largest Russian banks and the complete ignoring of problems on the part of the security service, then welcome under cat.
Simple enough example of a fake letter.
First, a little theory. E-mail is a very convenient thing, which has a rather serious drawback: it is very easy to fake a letter. You can not always be sure that this letter sent the bank, and not some evil hacker who wants to steal your money. To protect against this, such things as SPF and DMARC were invented (they have already been written about many times on Habré: one , two, and three ). If we describe these technologies briefly, they allow us to say who can send emails from this domain and what to do with fake emails.
Falsifying letters, if properly used, can be very dangerous: think about how a person responds if he doesn’t receive stupid spam, but a sufficiently adequate letter from the bank’s domain with a request to change the password or advertising a new banking service, where you can log in using the main account and get a bunch of bonuses? I am sure that many will believe this letter and do something.
')
It turns out that BinBank forgot about such a problem and left its users at risk. I immediately wrote a technical support letter, where I told about it. After a while I received a polite response from the bank, in which he apologizes for the inconvenience.
When I realized that tech support is not interested in this at all, I decided to see which other banks are subject to this problem.
I selected the following banks from the banki.ru rating:
After I looked, did they use SPF and DMARC. There is a rather dangerous misconception that SPF is enough to protect a domain from forgery of letters: in fact, many mail services ignore SPF (hello, mail.ru), plus SPF will not protect you from fake emails from non-existent subdomains. Be sure to use DMARC.
The good news is that all but four banks (Promsvyazbank, Rossiya Bank, Sovcombank, Uralsib) were at least set up with SPF.
Five banks (Sberbank, Gazprombank, BINBANK, Rosbank and Citibank) almost managed to set up DMARC, but the policy they set (none) does not require any actions with fake letters.
And only one bank was protected at the time of the check: this is Tinkoff. Probably, the existence of a rewards program for the found vulnerabilities and an adequate security service means something.
In general, the results turned out to be very sad: only one bank out of 28 is protected (I am almost sure that other banks that did not make the list have a similar problem).
I sent each bank a letter describing the problem. And here it became quite sad: after a week of waiting and re-sending letters, I received only four adequate answers (these are Promsvyazbank, the Agricultural Bank, Sberbank and Citibank). The rest of them ignored the letters or sent a standard message that my appeal was accepted and I will receive an answer soon (no). Separate greetings to Gazprombank, who wanted to communicate only by phone.
More than a month has passed since the last notification about the vulnerability (the last letter was sent on March 6), the results are as follows: Sberbank successfully implemented DMARC, BinBank started doing something, and Tinkoff is just brilliant. The remaining banks seem to have decided to do nothing.
In fact, the situation is terrible: there are vulnerabilities in all systems, but when information in ready-made form is brought right under your nose, maybe you can do something? Probably at least answer the letter?
And yes, this article in no way encourages fraud and sending fake emails on behalf of banks.
UPD 1: I did not include Bank St. Petersburg in the list of banks above, although I sent a letter there. Corrected it.
Simple enough example of a fake letter.
First, a little theory. E-mail is a very convenient thing, which has a rather serious drawback: it is very easy to fake a letter. You can not always be sure that this letter sent the bank, and not some evil hacker who wants to steal your money. To protect against this, such things as SPF and DMARC were invented (they have already been written about many times on Habré: one , two, and three ). If we describe these technologies briefly, they allow us to say who can send emails from this domain and what to do with fake emails.
Falsifying letters, if properly used, can be very dangerous: think about how a person responds if he doesn’t receive stupid spam, but a sufficiently adequate letter from the bank’s domain with a request to change the password or advertising a new banking service, where you can log in using the main account and get a bunch of bonuses? I am sure that many will believe this letter and do something.
')
It turns out that BinBank forgot about such a problem and left its users at risk. I immediately wrote a technical support letter, where I told about it. After a while I received a polite response from the bank, in which he apologizes for the inconvenience.
When I realized that tech support is not interested in this at all, I decided to see which other banks are subject to this problem.
I selected the following banks from the banki.ru rating:
- Sberbank
- VTB
- Tinkoff
- Gazprombank
- Opening
- Rosselkhozbank
- Alfa Bank
- Credit Bank of Moscow
- Promsvyazbank
- UniCredit Bank
- BINBANK
- Rosbank
- Raiffeisenbank
- Joint-Stock Bank "Russia"
- Growth Bank
- Sovcombank
- AK Bars
- Bank Uralsib
- Russian Standard Bank
- National Bank "Trust"
- Citibank
- Avant-garde
- Modbank
- DeltaCredit
- Transcapitalbank
- SMP Bank
- Setelem Bank
- Loko Bank
- Bank "Saint-Petersburg
After I looked, did they use SPF and DMARC. There is a rather dangerous misconception that SPF is enough to protect a domain from forgery of letters: in fact, many mail services ignore SPF (hello, mail.ru), plus SPF will not protect you from fake emails from non-existent subdomains. Be sure to use DMARC.
The good news is that all but four banks (Promsvyazbank, Rossiya Bank, Sovcombank, Uralsib) were at least set up with SPF.
Five banks (Sberbank, Gazprombank, BINBANK, Rosbank and Citibank) almost managed to set up DMARC, but the policy they set (none) does not require any actions with fake letters.
And only one bank was protected at the time of the check: this is Tinkoff. Probably, the existence of a rewards program for the found vulnerabilities and an adequate security service means something.
In general, the results turned out to be very sad: only one bank out of 28 is protected (I am almost sure that other banks that did not make the list have a similar problem).
I sent each bank a letter describing the problem. And here it became quite sad: after a week of waiting and re-sending letters, I received only four adequate answers (these are Promsvyazbank, the Agricultural Bank, Sberbank and Citibank). The rest of them ignored the letters or sent a standard message that my appeal was accepted and I will receive an answer soon (no). Separate greetings to Gazprombank, who wanted to communicate only by phone.
More than a month has passed since the last notification about the vulnerability (the last letter was sent on March 6), the results are as follows: Sberbank successfully implemented DMARC, BinBank started doing something, and Tinkoff is just brilliant. The remaining banks seem to have decided to do nothing.
In fact, the situation is terrible: there are vulnerabilities in all systems, but when information in ready-made form is brought right under your nose, maybe you can do something? Probably at least answer the letter?
And yes, this article in no way encourages fraud and sending fake emails on behalf of banks.
UPD 1: I did not include Bank St. Petersburg in the list of banks above, although I sent a letter there. Corrected it.
Source: https://habr.com/ru/post/326382/
All Articles