Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Phishing: Saudi style SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phishing: Saudi style
On a very slow day the majority of the messages that reached us were about phishing. It consisted of the usual phishing for ebay, amazon, ... accounts, but one jumped up that was somewhat unusual:

Suliman brought a phishing attempt to our attention that was written in Arab aiming at a bank out there and diverting the clicks to http://www_sambaonlineaccess_com/ instead of the bank's normal address. According to the submitter -I can't read Arab- it was linked to an online registration of a large IPO for a chemical company.

Aside of the IPO relation, it was also noteworthy because of the language used (Arab) and of the location of the server where the clicks were directed to: Israel. I cannot help to note that at the very least this is quite provocative.

The website supposedly collecting the information wasn't responding at time I tried to look at it, which might be a good sign after all.

The lesson for the end users remains the same: never follow links you get in email. If possible turn off the rendering of HTML for email, it's a serious risk from a security perspective.

The warning for those of us fighting abuse is also clear.
  • Some attacks might aim at very shortlived events.
  • You won't be able to understand it all, so you will have to make sure you have processes in place that can deal with language in abuse complaints you can't understand yourself.

Swa Frantzen

760 Posts
Dec 26th 2005

Sign Up for Free or Log In to start participating in the conversation!