Attention to new threats on the Internet!

Po wpisaniu kodu strona www chwilowo „zawiesza się” i klient widzi komunikat informujący np. o trwających pracach modernizacyjnych, weryfikacji/aktualizacji danych, itp.:

Malware has appeared on the Internet which can pose a threat to the customers using electronic and mobile banking. As a result of infecting the user’s computer with malware when trying to enter the page www.ipko.pl, the customer is redirected to a fake website of the Bank (the site is not encrypted: there is no close padlock icon in the browser bar, there is no “https” in the website address, there is no valid security certificate) – entering on false site details to log into the service may result in their acquisition by unauthorised persons. Then the client is presented  a fraudulent message informing about the necessity to install special software on a mobile phone, which is supposed to raise the level of security when using electronic banking services. In reality, this is a malicious application which enables criminals to intercept text messages – including text messages with one-time codes used for transaction authorisation.

PKO Bank Polski does not require installing on mobile devices any additional software, especially the one that would be supposed to raise the level of security  of operations or access to the transaction service.

Please do not download or open attachments from unknown sources:

when installing the software or application of unknown origin, you risk infecting the device you are using with malware that can allow cybercriminals to take control of your phone (including of text messages with authorisation codes sent to your phone number).

More about the safety of the phone which you use for the electronic banking.

Smishing is a type of phishing which involves stealing from bank accounts using crafted text messages. Similarly as in the case of phishing, a text message is sent to the user, inducing to take certain actions, allegedly associated with the account security – e.g. the necessity to cancel the transfer which has not been ordered by the customer.

In the text message the user is usually asked to contact at the indicated telephone number or use the link included in the message. The call is often taken by the automatic telephone service. The user is asked to provide confidential data, e.g. personal data, to log and authorise transactions or details of a payment card.

If you receive a suspicious text message – do not use any link nor call to the phone number indicated therein.

Under no circumstances should you disclose confidential data enabling access to your account.

Using the link included in the message may result in infecting the phone with malware.

„Access to your iPKO account has been blocked! Concerned about the safety of our customers , we blocked the account in the iPKO system. The reason is unauthorised access to your account”.

To regain access, please verify the account holder, logging into:

www.ipko.pl”

Link in the message leads to the fake website.

Below is the view of the fake website, crafted by criminals, resembling the website of the transaction service, and in fact serving to steal payment card details, to which a link in a fraudulent e-mail refers customers:

Before logging into the iPKO internet service, make sure that the connection you are using is encrypted:

1. Check whether the web address in the browser window looks as follows:

• new service - https://www.ipko.pl
• previous service - https://www.ipko.pl/stare/stare
• iPKO biznes service  -https://www.ipkobiznes.pl/kbi

1. Check whether within the web browser window there is a closed padlock icon. Depending on the browser, the padlock icon may appear in the address bar or status bar at the bottom of the screen. When the padlock appears, it indicates that the website is protected by the security certificate and the connection is encrypted.
2. Check whether the security certificate is correct.
   Data on the certificate are available in the browser, most frequently in the “File” menu “Properties” option. After you select “Certificates” button, check both “General” and “Certification path”.  You can also find the certificate data by double-clicking on the padlock icon. After you click, you will see details relating to the certificate, which will tell you that it has been issued for the domain https://www.ipko.pl/ or https://www.ipko.pl/stare or https://www.ipkobiznes.pl/kbi.
   You can also learn that PKO Bank Polski purchased the certificate.

Make sure that the service address is the following: https://www.ipko.pl or https://www.ipko.pl/stare or https://www.ipkobiznes.pl/kbi and the logging page looks like in the below pictures:

Text messages suggesting that someone sent to the recipient money are sent on a mass scale to Polish numbers. Following the instructions given in the text message, which means entering to the specified site and downloading the file, will infect the user's phone with malware that extorts data to the internet banking and can lead to theft of funds from a bank account.

Course of attack:

The recipient receives the following text message:

In order to “receive transfer” the recipient is asked to move to the indicated in the text message page (hxxp://pay2mob.pl) and enter PIN included in the message:

This may indicate a personalisation of the attack.

There is also the possibility to move right away to index2.html (which is equivalent to a positive verification), which displays the following page and automatically downloads a PAY2MOB.apk file:

and asks for relevant authorisations:

Then, the application keeps track of text messages, calls and run applications. In case of detection of starting Google Play store or Muzyka play, the user is asked for credit card details.

Extorted data are sent to the following address: hxxp://94.102.53.184:2080/

In addition, in the case of detecting that one of the bank applications is running:

a personalised overlay for this particular application is displayed.

Remember! The Bank does not send this type of text messages, these messages are fraudulent, designed to install on the user’s phone malware tracking their actions and intercept confidential data. Please do not reply to such text messages, do not use the links specified therein, do not install additional software and do not share confidential data: personal data, login and account passwords, one-time codes, mobile phone number, or data relating to the payment card – PIN, CVV2/CVC2, etc.

Recently, a new threat attacking users of electronic banking has been identified. The malware in the form of an add-on to the Firefox web browser replaces account numbers during the execution of the transaction, while ensuring that the user does not notice anything. Remember! Carefully check the account number of the recipient of the transfer against the number sent in the text message with a one-time code to authorise a transaction.

Infection occurs during downloading through file sharing sites or P2P networks, a virus-carrying installer to one of the popular programs – Winamp, Corel PaintShop or PowerIso. These can also be the driver files or a pirate version of the game Minecraft. During these operations the add-on for Firefox is automatically installed, which task is to download and replace the account number when the customer is making a transfer. The add-on does not allow for the fact that on the screen appears a different number than the one defined by the user.

The add-on is not detected by any anti-virus programme. To avoid fraud you should update Firefox to at least 43 version, because all the add-ons that do not have a signature of Mozilla are automatically blocked.  

The full contents of the article is available at: http://www.cert.pl/news/11005/langswitch_lang/pl

Recently a new type of malware has been identified. The aim of the attack are users of mobile phones with Android. The attack starts from infecting the user’s computer. With the known method of modifying the page (JavaScript code), the victim, through the website to log into the bank, allegedly receives a notification with the request to enter the model and  number of the phone. Under the guise of increasing the security of internet banking, the application imitating a well-known anti-malware scanner - Trusteer Rapport is installed on the phone.

The application is supposed to take full control of the user’s phone. During the installation process it asks for access to:

• read/write/send/receive text messages
• read the list of contacts
• block the screen
• make/redirect calls
• read logs of the phone
• read data of SD card and the memory of the phone
• intercept information about currently running applications
• kill running processes.

It is important that the virus has defence mechanism against an attempt to uninstall it. It can be removed through a reset of the phone to factory settings or the appropriate command line after connecting the phone to a computer.

You can find out more at: http://www.cert.pl/news/11166

Following the Council of Electronic Banking of the Polish Bank Association, we warn against intensifying attacks on users of smartphones with Android. Recently, new campaigns of sending text messages aimed at infecting a smartphone with malware have been observed.

A person who receives the text message and clicks the link, in reality installs malware on their phone. When you click a link sent in a text message, the website presenting the software installation instructions is opened, in particular presenting how to change in the phone the option enabling  installation from untrusted sources (in order to induce greater confidence and credibility of software, cybercriminals also present the manufacturer of the smartphone and display the appropriate logo).

The task of the Trojan installed on Android is its activation when the user of the phone uses the mobile banking application and generation of a special window with a request to give the login and password. Malware, in addition to data collection, also has the functionality of:

• reading and sending text messages – including bank authorisation SMS codes,
• phishing credit card numbers by generating special messages asking to enter sensitive information,
• stealing personal data, including photographs of identity documents, as well as photographs of the user with the identity document held near the face.

Probably data may be used for opening different kinds of access to services using a stolen identity.

We warn against downloading and running applications from untrusted sources and taking any action, to which phone users can be induced in the text messages from unknown senders, e.g. clicking links contained in text messages: opening a link leading to dangerous contents may result in infecting the smartphone and the consequent loss of control over it.

You can find out more at: https://zbp.pl/dla-konsumentow/bezpieczny-bank/aktualnosci

Malware for Android called GMBot (also called slempo) is the application used by criminals to steal login data to bank services. Until now, this software used the methods to override the application, overriding concerned only the applications installed on the phone (banking applications, instant messengers, e-mails), while its latest version, apart from overriding the banking application is also trying to steal the access data to the bank from a mobile web browser.

How GMBot works

GMBot is distributed mainly by fake websites serving for watching videos. Most often it pretends to be Adobe Flash Player (the victim must download the updates to be able to watch the video) or the application PornTube. The application monitors active processes. When the victim starts one of the applications included in the configuration file, GMBot connects to the server with the prepared logging windows and override the application with its own window. In the latest version GMBot observes not only banking applications included in the configuration file, but also the history of viewed pages (relates to standard Android browser and Google Chrome). If the last website we visited was the bank’s website, over the browser window the logging form is displayed.

Windows have been prepared in such a way as to look credibly. The top bar, which is designed to confirm to the user that they are on the bank's website is obviously an ordinary picture with the pasted address. After entering the login and password by the user the window automatically disappears and the user comes back to the bank’s website. All data captured in this way by the malicious application are sent to the server.

Functionalities of the application

In addition to core functionality, involving stealing of authorisation data, GMBot also has many additional features:

• redirecting calls and text messages to another number
• stealing credit card details from Google Play
• sending full browser history to the managing server
• sending the list of all applications installed on the phone
• sending all text messages to the managing server
• sending text messages to the victim to encourage them to log into the bank account.

All stolen data are sent with the use of HTTP protocol to the managing server, controlled by criminals.

How not to get infected?

For more than half a year the application has been quite popular mainly in countries such as Turkey, Canada, Germany, Taiwan and Australia, but the increased number of infections of Polish mobile phone users has been observed too. Fortunately, so far apart from basic information about the phone, the attackers have failed to extort access data of Polish users of electronic banking, but criminals are still working on new ways to obtain data of bank customers. Therefore, you should remain vigilant and pay attention to what you install on your smartphone. The best way to avoid infection is not to install on the devices we use applications from untrusted sources. Unfortunately, when we fall prey to the infection, the only way to get rid of malware is a factory reset of the phone or removing the application using the tool to manage the phone from the command line of the computer, ADB (Android Debug Bridge).

You can find out more at:

http://www.cert.pl/news/11267

2016-06-01

We warn that fraudulent e-mails in which hackers impersonate the Bank are being sent and – under the pretext e.g. of the need to unblock blocked access to iPKO account, they are asking you to log into the service and encourage to use a link included in the message, which actually redirects the user to a fake website of the Bank.

Be careful!

We remind that PKO Bank Polski is not the author of these messages, e-mails are sent by the persons impersonating the Bank. Please use caution and limited confidence in relation to the e-mails which contain a request to use the link included therein. We warn that these are always fraudulent e-mails, designed not only to steal from the recipient personal data or card details, but also to install on their computer or on the phone potentially harmful programmes spying and tracking their actions.

Please do not reply to such e-mails, do not use the specified link and do not share personal data, login and account passwords, one-time codes of the authorisation tool, mobile phone number, or data relating to the payment card. These data are known exclusively to the customers.

If you use the link included in the received message and enter any data on the website similar to the iPKO service, please contact by phone a consultant at one of the following numbers:

• 800 302 302 (no fees for domestic numbers in Poland; in other cases – fee according to the operator’s price list), or
• +48 81 535 60 60 (for foreign calls and mobile phone calls; fee according to the operator’s price list)

Remember about the rules of safe use of the account and confidentiality of your data:

• Never share your identifier, passwords and one-time authorisation tools with third parties, do not enter them on unencrypted websites and websites other than the Bank’s website,
• Do not write down your password or PIN. Remember the password or PIN received from the bank on the printout and then throw it away.
• Do not keep passwords or authorisation tools in the places where someone could find them easily.
• Do not use the same password which you use to log into the bank on other websites.
• If you change your password, select such password which is not easy to guess – it should be a combination of letters and digits.
• Check regularly bank statements relating to the transactions made by a debit card, issued to the account as well as by a credit card.
• When using the electronic banking, try using your own computer, and not a computer in the internet café or other public place. We recommend you not to use the electronic banking from publicly available WiFi networks.
• Never leave the computer when you are logged into your bank account.
• Make sure that you correctly log out after finishing operations on your account by option “Log out”.

Remember! If something arises your concern, contact by phone a consultant at one of the following numbers: 800 302 302 (no fees for domestic numbers in Poland; in other cases – fee according to the operator’s price list), or +48 81 535 60 60 (for foreign calls and mobile phones calls; fee according to the operator’s price list).

More about the safety of the use of electronic banking

The Council of Electronic Banking of the Polish Bank Association warns against the new form of attack on users of computers with the Windows system. Detected malware called PACCA introduces changes in the global settings of the proxy server and installs a malicious certificate as the trusted certification authority. In this way cybercriminals may redirect to any page of their server and generate certificate which will be recognised by the browser as trusted.

When you use the internet banking, pay special attention to the SSL certificate with which the given website presents itself. Below you can find the examples which present the differences between the hacker’s certificate and the trusted certificate.

Source: PREBYTES

Instruction how to turn off malicious proxy settings

In order to remove the malicious proxy redirecting, you should perform the following actions:

Source: PREBYTES

1. Start internet browser Internet Explorer.
2. Click Tools, then select position Internet options.
3. In the newly displayed window select Connections tab, and then click LAN network settings.
4. If the Use automatic configuration script option is selected and in the Address  box there is the following address: "http://piterame.com/..." (or similar), move to the next step. In other case withdraw, move to item 7.
5. Clean the Address box, and then switch the Use automatic configuration script option.
6. Confirm the changes with OK.
7. Close the previously opened windows.

Instruction of verification and removal of untrusted certificate

Below we inform what actions should be made to remove the untrusted certificate.

IMPORTANT! When you perform the following steps, be careful not to remove the correct certificate.

Source: PREBYTES

1. Start internet browser Internet Explorer.
2. Click Tools, then select position Internet options.
3. In the newly displayed window select Contents tab, and then click Certificates.
4. Then select the Trusted Root Certification Authorities tab.
5. On the list displayed below check whether there is a position on it which in the second column is described as "GeoTrust Inc CA", and the date of expiry (3rd column) is 2019-01-03.

If you find that you have such Certification Authority installed, please contact your bank.

IMPORTANT! Further steps can be performed exclusively by the person with appropriate qualifications.

6. In the Certificates window select the found certificate as "GeoTrust Inc CA", then click the button Display.
7. In the newly displayed window select the Details tab.
8. On the displayed list select by left mouse button Fingerprint box.
9. Below the value has been displayed. If it is the following: "a9 75 3d c5 15 d3 0d 1d 04 8f 33 76 5b 95 c1 05 eb 58 a4 03“, we move to the next step. Otherwise we withdraw from further actions and close the previously opened windows.
10. Close the window named Certificate and make sure that in the Trusted Root Certification Authorities tab the correct certificate is selected.
11. Click Remove, and then confirm the selection with Yes.
12. You should check whether the certificate issued for "GeoTrust Inc CA" with the fingerprint specified above has already been on the list.
13. We close the previously opened windows.
14. Restart your web browser before another logging into the internet banking.

The full contents of the article

NEW HARMFUL SOFTWARE – PACCA – CHANGING SSL CERTIFICATES

Announcement of 10 June 2016

Dear Sirs and Madams,

The Council of Electronic Banking of the Polish Bank Association warns against the new form of attack on users of computers with the Windows system. Detected malware called PACCA introduces changes in the global settings of the proxy server and installs a malicious certificate as the trusted certification authority. In this way cybercriminals may redirect any website to their server and generate a certificate which will be recognised by the browser as trusted.

When you use the internet banking, pay special attention to the SSL certificate with which the given website presents itself. Below you can find the examples which present the differences between the hacker’s certificate and the trusted certificate.