Simple analysis of a phising activity. Case: CIMB Niaga’s “CIMB Clicks”

Few days ago, I got an email from a local bank to update a CIMB Niaga internet banking account profile.
The email sender looks convincing, but wait, I don’t have an account at this bank!, why the hell did they sent this to me for ?

So this triggered my curiosity, and so i come up with simple analysis, so here goes….

First take a look at screenie from the email :

Notice the red highlights, the email is a real corporate account, check the website domain here
People will always trust a corporate account right?

Here’s the interesting part, the email told me that i have to update my internet banking account(in which i don’t have) in order to synchronize with their new updated secure system(so they said), and told me to download a file in order to fill out the new account information.
And if I don’t do it for the next 24 hours, my account will be freeze for security reason!
“what the fuck?, what kind of method is this ?”

Getting more curious, so i downloaded the file “CIMB Clicks.mht”

common people usually open the file straight after it finished downloaded without knowing what the file might do to their computer, it might be a virus or whatever…. well that is foolish.
First you need to know the last extension means, .mht file extension is one of HTML document format, stands for MHTML, a programming language to make websites (please search for it on google for detail explanation).
The difference between HTML and MHTML is, MHTML can combine resources inside one .mht file, we can put images, videos, etc in one .mht file, while HTML can’t.

When I open the file with “double click”, the default application that opens the file is internet browser
heres the screenie of the opened file:

Whoa! it looks similar to the real CIMB Clicks website:

The difference is in the URL(Uniform Resource Locator), look at the red highlights….

This hacking method known as phishing, a method that attempt to acquire sensitive information such as username or password by mimicking certain websites(internet banking, facebook, etc), usually the log-in form.
common people usually ignore this…

Then I look at source code behind the .mht file to see what will happen if i submit the form of the .mht file
look at this screenie:

look at the highlights part of the image, so when we submit the login information, the page will be redirected to “”

but thankfully, The file “logininfo.php” is not exist, which is probably inside the “logininfo.php” file lies the script that will store my login information(username & password) to the hacker database.

Therefore i try to extract the file directly from the resource with “wget”, and yes it returns a “404 error” which means the file “logininfo.php” is not exist:

So who or what is responsible for this?

This can be from the person who holds the email account, maybe his/her PC got infected with keylogging virus, a virus that records every keyboard activity then sends it back to the hacker.
Where can you get infected with this kind virus?… Porn sites, betting sites, untrusted gaming sites, untrusted facebook applications, etc

We can also blame the system, crackers and hackers can break into vulnerable security system and holds control of the system, and then sends broadcast email without the system administrator knowing whats going on.

And lastly, here’s a little “whois” info about “Zaiedcool”, just in case one of CIMB niaga guys read this post:

That is all folks, hope this post will be useful to those who reads 🙂



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s