Dangerous trade
New service is new features. Including for intruders who very quickly track all the innovations.
Here, for example, on May 6, Sberbank launched the Secure Deal service, designed to provide a guarantee of payment for the transaction by its participants and protect their rights. SafeCrow, a company specializing in providing such services, has been a technical partner of the bank.
A corresponding page was created on the bank's website , the personal account of the service is located on a separate domain - sb-sdelka.ru.
')
Exactly one week later, on May 13, the resource sberbank-service.online appeared in the network, mimicking the aforementioned service. Let's compare them.
This is the service page on the Sberbank website.
And so - on the site of intruders.
The key element of both pages is the “Create Deal” button. But if on the bank’s website this button leads us to a personal account in which we are asked to log in using the phone number and code from SMS.
That malicious resource without any explanation simply offers to enter a password.
Well, it is worth getting to know this site better.
If the original domain used by Sberbank was registered by SafeCrow through RU-CENTER, the American company Network Solutions acted as the registrar of the domain name SBERBANK-SERVICE.ONLINE. At the same time, the country identifier in Whois indicates Russia, and in the region field is RU-NVS, which apparently means Novosibirsk. In the binding to the domain appears mailing address: sb.service.help@gmail.com.
Host site on the platform Wix.com. And not only is hosted, because Wix is first and foremost an online site builder. We look at the page code and immediately see: meta name = "generator" content = "Wix.com Website Builder" . It seems that the attackers did not bother and quickly made a phishing site right in the online builder.
This, by the way, distinguishes it from other similar resources. Over the past few months, most of the sites intended to deceive Sberbank’s customers have either been made in pure HTML with javascript intersperses or have used some kind of self-written engines. And then even the pictures are hosted on static.wixstatic.com/media .
The site has a valid SSL certificate, so Google Chrome carefully reports that the resource can be trusted with all the most secret.
Analysis of the page code does not bring special results. Solid garbage and JavaScript inherited from Wix. The site has a google-site-verification tag and a Google Analytics script, which, however, is no longer a rarity even for phishing resources. Everyone wants to study the target audience.
The upper area of the site and the footer are more or less accurately copied from the bank’s site; however, the phishing resource has lost its ability to fully scale and lose the original fonts. The top menu has also undergone changes. Some links in it will introduce to the Sberbank website, but the number and name of the buttons is different from the original, and the “Home”, “License” and “Deal” buttons refer to elements of the phishing resource. In the “License” section there is a table with Sberbank details and a link to the pdf-file with a scan of the general license of the Central Bank, which lies on docs.wixstatic.com. The picture on the main page is taken from Istock photos.
In its current form, the site can be used as one of the elements of the criminal scheme. The form for entering the password, the lack of a login and registration suggests that the victim, who has entered the site, will already have a ready-made password transmitted by the attackers, that is, social engineering is obviously not enough.
Despite the fact that at the moment it is not possible to examine all the details of the fraudulent scheme, the site can already present a threat, because it is clearly intended to mislead the bank’s customers.
We informed PJSC "Sberbank" and the company "Safkrou" about the identified threat and hope that the phishing resource will cease to exist even before the appearance of the first victims.
Here, for example, on May 6, Sberbank launched the Secure Deal service, designed to provide a guarantee of payment for the transaction by its participants and protect their rights. SafeCrow, a company specializing in providing such services, has been a technical partner of the bank.
A corresponding page was created on the bank's website , the personal account of the service is located on a separate domain - sb-sdelka.ru.
')
Exactly one week later, on May 13, the resource sberbank-service.online appeared in the network, mimicking the aforementioned service. Let's compare them.
This is the service page on the Sberbank website.
And so - on the site of intruders.
The key element of both pages is the “Create Deal” button. But if on the bank’s website this button leads us to a personal account in which we are asked to log in using the phone number and code from SMS.
That malicious resource without any explanation simply offers to enter a password.
Well, it is worth getting to know this site better.
If the original domain used by Sberbank was registered by SafeCrow through RU-CENTER, the American company Network Solutions acted as the registrar of the domain name SBERBANK-SERVICE.ONLINE. At the same time, the country identifier in Whois indicates Russia, and in the region field is RU-NVS, which apparently means Novosibirsk. In the binding to the domain appears mailing address: sb.service.help@gmail.com.
Host site on the platform Wix.com. And not only is hosted, because Wix is first and foremost an online site builder. We look at the page code and immediately see: meta name = "generator" content = "Wix.com Website Builder" . It seems that the attackers did not bother and quickly made a phishing site right in the online builder.
This, by the way, distinguishes it from other similar resources. Over the past few months, most of the sites intended to deceive Sberbank’s customers have either been made in pure HTML with javascript intersperses or have used some kind of self-written engines. And then even the pictures are hosted on static.wixstatic.com/media .
The site has a valid SSL certificate, so Google Chrome carefully reports that the resource can be trusted with all the most secret.
Analysis of the page code does not bring special results. Solid garbage and JavaScript inherited from Wix. The site has a google-site-verification tag and a Google Analytics script, which, however, is no longer a rarity even for phishing resources. Everyone wants to study the target audience.
The upper area of the site and the footer are more or less accurately copied from the bank’s site; however, the phishing resource has lost its ability to fully scale and lose the original fonts. The top menu has also undergone changes. Some links in it will introduce to the Sberbank website, but the number and name of the buttons is different from the original, and the “Home”, “License” and “Deal” buttons refer to elements of the phishing resource. In the “License” section there is a table with Sberbank details and a link to the pdf-file with a scan of the general license of the Central Bank, which lies on docs.wixstatic.com. The picture on the main page is taken from Istock photos.
Let's sum up
In its current form, the site can be used as one of the elements of the criminal scheme. The form for entering the password, the lack of a login and registration suggests that the victim, who has entered the site, will already have a ready-made password transmitted by the attackers, that is, social engineering is obviously not enough.
Despite the fact that at the moment it is not possible to examine all the details of the fraudulent scheme, the site can already present a threat, because it is clearly intended to mislead the bank’s customers.
We informed PJSC "Sberbank" and the company "Safkrou" about the identified threat and hope that the phishing resource will cease to exist even before the appearance of the first victims.
Source: https://habr.com/ru/post/452038/
All Articles