paul3vanz

Phishing Malware

4 posts in this topic

Calling all security experts...

Basically, with our bank (HSBC UK), when you access the Internet Banking in Internet Explorer 8, the login page goes through ok, with SSL enabled and the green address bar, until the page that requests the random digits from the security code and my date of birth.

If the security software that our bank recommends (Trusteer Rapport) is enabled, when you submit the page, the next page contains a broken HSBC page and the rapport log shows "IP adress 116.125.172.233 doesn't match HSBC". It appears that Rapport tries to intervene, but fails...

fred6rer-lookup.png

The page URL then turns to hxxp://fred6rer.net/1/2/portal/5ee2aa71870dada9032b520ce9728047.php?id=65940D2548A7316FD91C8C91A1E2F4E8&u=aHR0cHM6Ly93d3cuaHNiYy5jby51ay8xLzIvO2pzZXNzaW9uaWQ9MDAwMF9CM0N4S09DNTlPSWpSeldZaGVrUVYyOjE0ZXQ1bTh0Mztqc2Vzc2lvbmlkPTAwMDBfQjNDeEtPQzU5T0lqUnpXWWhla1FWMjoxNGV0NW04dDM/aWR2X2NtZD1pZHYuQ3VzdG9tZXJNaWdyYXRpb24=

fred6rer.png

This is obviously a phishing attempt, especially when looking at the domain more closely, reveals that the primary name server of fred6rer.net is NS1.ZZ8NS.COM, which is registered with DOTNAME KOREA CORP (http://www.dotname.co.kr)

http://reports.internic.net/cgi/whois?whois_nic=fred6rer.net&type=domain

http://reports.internic.net/cgi/whois?whois_nic=ZZ8NS.COM&type=domain

if Rapport is disabled and you try to log in (using made-up login details), after entering the digits from the security code and date of birth, the following page is a replica of the HSBC site, but with a phishing message...

It states that the digits you entered weren't recognised and asks you to enter the full security code in the box provided. This page shows the URL as hsbc.co.uk, starting with https:// but there is no padlock or green address bar.

phshing-hsbc-rapport-disabled.png

This only occurs on Internet Explorer, not Firefox. With Firefox, when you try to log in (with incorrect details), the final stage of the login just states that the details were incorrect, which is the correct thing that should happen.

I then wanted to see if this affected other banks, so I tried going to another bank (Lloyds TSB - which we are not customers with) and a similar thing happens, the login page asks first for random digits and the SSL shows the green bar to show the site is safe, but when you submit that page, it asks for you memorable place, phone banking security code and date of birth.

lloyds-phishing.png

I am using Avira Antivirus, Spybot, Malwarebytes Antimalware and I've just installed Windows Defender. They say they have removed everything they found, but this still happens.

I ran HijackThis and I can't see anything untoward. I ran LSPFix as I read that LSPs can intercept traffic. I want to know how can malware do this , while still show a valid URL for the bank and why is it only in Internet Explorer. Don't LSPs affect all browsers?

lsp-fix.png

I am going to format the hard drive and reinstall Windows, but I just want to get to the bottom of how this malware is working.

hijackthis.log.txt

Edited by Tarun
Nulled link to phishing site
0

Share this post


Link to post
Share on other sites

"Drive-by" maybe (have had them on MySpace, FaceBook, etc.)...

Get CCleaner and run it (clears browser cache, etc.). Delet TEMP folder contents (sometimes hides there). Problems found and fixed, but leaves "remnants". LSPFix should clear it up.

This is what I had to do (the bad LSP is what's causing redirection).

Try it and then report back. No time right now to look at HJT (sorry, maybe someone else will).

0

Share this post


Link to post
Share on other sites

Yes, I'd be suspicious of a drive-by or LSP issue, something that would affect IE but not Firefox. That domain is registered to a googlemail.com address, and the registrar's address is the Borough of Manhattan Community College - the zip code on the registration is wrong , and there are no apartments at that address at all either. Whatever it is, it isn't friendly.

0

Share this post


Link to post
Share on other sites

You should definately report this to your bank as well.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.