Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Phishing Malware

- - - - -

  • Please log in to reply
3 replies to this topic




  • Member
  • Pip
  • 95 posts
  • Joined 05-November 03
Calling all security experts...

Basically, with our bank (HSBC UK), when you access the Internet Banking in Internet Explorer 8, the login page goes through ok, with SSL enabled and the green address bar, until the page that requests the random digits from the security code and my date of birth.

If the security software that our bank recommends (Trusteer Rapport) is enabled, when you submit the page, the next page contains a broken HSBC page and the rapport log shows "IP adress doesn't match HSBC". It appears that Rapport tries to intervene, but fails...

Posted Image

The page URL then turns to hxxp://fred6rer.net/1/2/portal/5ee2aa71870dada9032b520ce9728047.php?id=65940D2548A7316FD91C8C91A1E2F4E8&u=aHR0cHM6Ly93d3cuaHNiYy5jby51ay8xLzIvO2pzZXNzaW9uaWQ9MDAwMF9CM0N4S09DNTlPSWpSeldZaGVrUVYyOjE0ZXQ1bTh0Mztqc2Vzc2lvbmlkPTAwMDBfQjNDeEtPQzU5T0lqUnpXWWhla1FWMjoxNGV0NW04dDM/aWR2X2NtZD1pZHYuQ3VzdG9tZXJNaWdyYXRpb24=

Posted Image

This is obviously a phishing attempt, especially when looking at the domain more closely, reveals that the primary name server of fred6rer.net is NS1.ZZ8NS.COM, which is registered with DOTNAME KOREA CORP (http://www.dotname.co.kr)


if Rapport is disabled and you try to log in (using made-up login details), after entering the digits from the security code and date of birth, the following page is a replica of the HSBC site, but with a phishing message...

It states that the digits you entered weren't recognised and asks you to enter the full security code in the box provided. This page shows the URL as hsbc.co.uk, starting with https:// but there is no padlock or green address bar.

Posted Image

This only occurs on Internet Explorer, not Firefox. With Firefox, when you try to log in (with incorrect details), the final stage of the login just states that the details were incorrect, which is the correct thing that should happen.

I then wanted to see if this affected other banks, so I tried going to another bank (Lloyds TSB - which we are not customers with) and a similar thing happens, the login page asks first for random digits and the SSL shows the green bar to show the site is safe, but when you submit that page, it asks for you memorable place, phone banking security code and date of birth.

Posted Image

I am using Avira Antivirus, Spybot, Malwarebytes Antimalware and I've just installed Windows Defender. They say they have removed everything they found, but this still happens.

I ran HijackThis and I can't see anything untoward. I ran LSPFix as I read that LSPs can intercept traffic. I want to know how can malware do this , while still show a valid URL for the bank and why is it only in Internet Explorer. Don't LSPs affect all browsers?

Posted Image

I am going to format the hard drive and reinstall Windows, but I just want to get to the bottom of how this malware is working.

Attached Files

Edited by Tarun, 03 March 2010 - 11:58 AM.
Nulled link to phishing site

How to remove advertisement from MSFN




  • Patrons
  • 4,558 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
"Drive-by" maybe (have had them on MySpace, FaceBook, etc.)...

Get CCleaner and run it (clears browser cache, etc.). Delet TEMP folder contents (sometimes hides there). Problems found and fixed, but leaves "remnants". LSPFix should clear it up.

This is what I had to do (the bad LSP is what's causing redirection).

Try it and then report back. No time right now to look at HJT (sorry, maybe someone else will).

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image



    Gustatus similis pullus

  • Supervisor
  • 11,028 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag


Yes, I'd be suspicious of a drive-by or LSP issue, something that would affect IE but not Firefox. That domain is registered to a googlemail.com address, and the registrar's address is the Borough of Manhattan Community College - the zip code on the registration is wrong , and there are no apartments at that address at all either. Whatever it is, it isn't friendly.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!



    K-Mart-ian Legend

  • Super Moderator
  • 10,008 posts
  • Joined 28-April 06
  • OS:Windows 7 x86
  • Country: Country Flag


You should definately report this to your bank as well.

MSFN RULES | GimageX HTA for PE 3-5 | lol probloms

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users