NBK Scam Phising - Investigated

MY K, from MY K Blog wrote about a National Bank of Kuwait (NBK) Phishing scam.

The scam works by sending you an email telling you to go to a seemingly valid banking site and update your account number and PIN code. That site would be a fraudulent site and what it does is send to the fraudsters your personal information that you just entered. Later they will log on to your account and try to transfer money out of it.

I did a little investigation and read the source code of the NBK fraudulent site. I found some clues such as the signature niarB, which is Brain in reverse. Searching around I found some more information about this elusive Brain. It turns out that Brain is a group of Morrocan fraudsters calling themselves Mr. Brain. They offer phishing/scam kits on the Internet that allow you to set up a fraudulent site that looks like a popular bank's page. When the poor victim enters his information, that information is sent to the fraudsters who used Mr. Brain's tools. A copy is also sent to the Morrocan Mr. Brain team. More information about this scheme can be found at Trend Micro's Site and also at Netcraft's Site.

In addition to the Mr. Brain's signature found in the source code, there is also a coded string that represents the email address. The string is "245616c647881696e30384067617761622e636f6d". It probably is the email address of the fraudster.

I did not bother to decode it, but if NBK wants to, they can always catch the Mr. Brain team and they can explain everything to them.


  1. thanks 4 this quit good investigation!

  2. I got hit with it in my inbox. I couldn't believe it since it was the second time in a month it had happened to me. The first was with Bank of America.

    Nice work Don Veto and thank you for passing the word on.

  3. Thanks. Nice post.

    Some precautionary measures I guess would be:

    1- Use good email provider with spam filter, like Gmail
    2- Use anti-phishing capable browser like Firefox. Don't use Safari for sensitive information (Sorry Mac fans, it's true!).
    3- Check the SSL certificate of the site, make sure the url of the site is correct, e.g. www.NBK.com

    Now I understand why they keep sending those notifications. Never thought it's happening here.

  4. Bashar: You are welcome, another rule you can add is never click a link in an email. If NBK (or fraudster) sends you an email, type the banks link by hand yourself, if the email is authentic then you will find a large notice with instructions. If it is a scam, then what you got was a fraud. If you are slightly suspicious of any email you get, call the call center to confrim that the email came from them or not.