May 15, 2019 at 23:18Dangerous deal
A new service is a new opportunity. Including for attackers who very quickly track all the latest business.
For example, on May 6, Sberbank launched the Safe Transaction service, designed to provide guarantee for payment of a transaction by its participants and protect their rights. SafeCrow, a company specializing in the provision of such services, acted as a technical partner of the bank.
A corresponding page was created on the bank’s website , the service’s personal account is located on a separate domain - sb-sdelka.ru.
Exactly a week later, on May 13, the sberbank-service.online resource appeared on the network, mimicking the aforementioned service. Let's compare them.
This is what the service page on the Sberbank website looks like.
And so - on the site of the attackers.
A key element of both pages is the Create Trade button. But if on the bank’s website this button leads us to your personal account, in which we are offered to log in using the phone number and code from SMS.
That malicious resource, without any explanation, simply offers to enter a password.
Get to know the fraudulent site closer.
If the original domain used by the Sberbank service was registered by SafeCrow through RU-CENTER, the US company Network Solutions acted as the registrar of the SBERBANK-SERVICE.ONLINE domain name. At the same time, the country identifier in Whois indicates Russia, and in the field the region appears RU-NVS, which apparently means Novosibirsk. In the binding to the domain appears the mailing address: sb.service.help@gmail.com.
The site is hosted on the Wix.com platform. And not only hosted, because Wix is primarily an online site builder. We look at the page code and immediately see: meta name = "generator" content = "Wix.com Website Builder" . It seems that the attackers did not bother and quickly put together a phishing site directly in the online builder.
This, by the way, distinguishes it from other similar resources. Over the past few months, most of the sites designed to deceive Sberbank customers have either been made in pure HTML with a splash of JavaScript, or used some kind of self-made engines. And here even the pictures are hosted on static.wixstatic.com/media .
The site has a valid SSL certificate, so Google Chrome carefully informs that the resource can be trusted with all the most intimate.
The analysis of the page code does not bring any special results. Solid junk and JavaScript inherited from Wix. The site has a google-site-verification tag and a Google Analytics script, which, however, has long been not uncommon even for phishing resources, since everyone wants to study the target audience.
The upper area of the site and the footer are more or less accurately copied from the bank's site, however, the phishing resource has lost the ability to fully scale and has lost the original fonts. The top menu has undergone changes. Some links in it will enter the Sberbank website, but the number and name of the buttons differs from the original, and the "Home", "License" and "Deal" buttons refer to elements of the phishing resource. The “License” section contains a table with the details of Sberbank and a link to a pdf file with a scan of the general license of the Central Bank, which is located at docs.wixstatic.com. The picture on the main page was taken from the Istock photo stock.
In its current form, the site can be used as one of the elements of the criminal scheme. The password entry form, the lack of a login and registration suggest that the victim who entered the site will already have a ready password transmitted by the attackers, that is, without social engineering, this will clearly not do.
Despite the fact that at the moment it is not possible to study all the details of the fraudulent scheme, the site can now be a threat, because it is clearly intended to mislead the bank's customers.
We informed Sberbank PJSC and SafeCrow about the identified threat and we hope that the phishing resource will cease to exist before the first victims appear.
For example, on May 6, Sberbank launched the Safe Transaction service, designed to provide guarantee for payment of a transaction by its participants and protect their rights. SafeCrow, a company specializing in the provision of such services, acted as a technical partner of the bank.
A corresponding page was created on the bank’s website , the service’s personal account is located on a separate domain - sb-sdelka.ru.
Exactly a week later, on May 13, the sberbank-service.online resource appeared on the network, mimicking the aforementioned service. Let's compare them.
This is what the service page on the Sberbank website looks like.
And so - on the site of the attackers.
A key element of both pages is the Create Trade button. But if on the bank’s website this button leads us to your personal account, in which we are offered to log in using the phone number and code from SMS.
That malicious resource, without any explanation, simply offers to enter a password.
Get to know the fraudulent site closer.
If the original domain used by the Sberbank service was registered by SafeCrow through RU-CENTER, the US company Network Solutions acted as the registrar of the SBERBANK-SERVICE.ONLINE domain name. At the same time, the country identifier in Whois indicates Russia, and in the field the region appears RU-NVS, which apparently means Novosibirsk. In the binding to the domain appears the mailing address: sb.service.help@gmail.com.
The site is hosted on the Wix.com platform. And not only hosted, because Wix is primarily an online site builder. We look at the page code and immediately see: meta name = "generator" content = "Wix.com Website Builder" . It seems that the attackers did not bother and quickly put together a phishing site directly in the online builder.
This, by the way, distinguishes it from other similar resources. Over the past few months, most of the sites designed to deceive Sberbank customers have either been made in pure HTML with a splash of JavaScript, or used some kind of self-made engines. And here even the pictures are hosted on static.wixstatic.com/media .
The site has a valid SSL certificate, so Google Chrome carefully informs that the resource can be trusted with all the most intimate.
The analysis of the page code does not bring any special results. Solid junk and JavaScript inherited from Wix. The site has a google-site-verification tag and a Google Analytics script, which, however, has long been not uncommon even for phishing resources, since everyone wants to study the target audience.
The upper area of the site and the footer are more or less accurately copied from the bank's site, however, the phishing resource has lost the ability to fully scale and has lost the original fonts. The top menu has undergone changes. Some links in it will enter the Sberbank website, but the number and name of the buttons differs from the original, and the "Home", "License" and "Deal" buttons refer to elements of the phishing resource. The “License” section contains a table with the details of Sberbank and a link to a pdf file with a scan of the general license of the Central Bank, which is located at docs.wixstatic.com. The picture on the main page was taken from the Istock photo stock.
To summarize
In its current form, the site can be used as one of the elements of the criminal scheme. The password entry form, the lack of a login and registration suggest that the victim who entered the site will already have a ready password transmitted by the attackers, that is, without social engineering, this will clearly not do.
Despite the fact that at the moment it is not possible to study all the details of the fraudulent scheme, the site can now be a threat, because it is clearly intended to mislead the bank's customers.
We informed Sberbank PJSC and SafeCrow about the identified threat and we hope that the phishing resource will cease to exist before the first victims appear.