Phishing Malware

4 posts in this topic

Calling all security experts...

Basically, with our bank (HSBC UK), when you access the Internet Banking in Internet Explorer 8, the login page goes through ok, with SSL enabled and the green address bar, until the page that requests the random digits from the security code and my date of birth.

If the security software that our bank recommends (Trusteer Rapport) is enabled, when you submit the page, the next page contains a broken HSBC page and the rapport log shows "IP adress doesn't match HSBC". It appears that Rapport tries to intervene, but fails...


The page URL then turns to hxxp://


This is obviously a phishing attempt, especially when looking at the domain more closely, reveals that the primary name server of is NS1.ZZ8NS.COM, which is registered with DOTNAME KOREA CORP (

if Rapport is disabled and you try to log in (using made-up login details), after entering the digits from the security code and date of birth, the following page is a replica of the HSBC site, but with a phishing message...

It states that the digits you entered weren't recognised and asks you to enter the full security code in the box provided. This page shows the URL as, starting with https:// but there is no padlock or green address bar.


This only occurs on Internet Explorer, not Firefox. With Firefox, when you try to log in (with incorrect details), the final stage of the login just states that the details were incorrect, which is the correct thing that should happen.

I then wanted to see if this affected other banks, so I tried going to another bank (Lloyds TSB - which we are not customers with) and a similar thing happens, the login page asks first for random digits and the SSL shows the green bar to show the site is safe, but when you submit that page, it asks for you memorable place, phone banking security code and date of birth.


I am using Avira Antivirus, Spybot, Malwarebytes Antimalware and I've just installed Windows Defender. They say they have removed everything they found, but this still happens.

I ran HijackThis and I can't see anything untoward. I ran LSPFix as I read that LSPs can intercept traffic. I want to know how can malware do this , while still show a valid URL for the bank and why is it only in Internet Explorer. Don't LSPs affect all browsers?


I am going to format the hard drive and reinstall Windows, but I just want to get to the bottom of how this malware is working.


Edited by Tarun
Nulled link to phishing site

Share this post

Link to post
Share on other sites

"Drive-by" maybe (have had them on MySpace, FaceBook, etc.)...

Get CCleaner and run it (clears browser cache, etc.). Delet TEMP folder contents (sometimes hides there). Problems found and fixed, but leaves "remnants". LSPFix should clear it up.

This is what I had to do (the bad LSP is what's causing redirection).

Try it and then report back. No time right now to look at HJT (sorry, maybe someone else will).


Share this post

Link to post
Share on other sites

Yes, I'd be suspicious of a drive-by or LSP issue, something that would affect IE but not Firefox. That domain is registered to a address, and the registrar's address is the Borough of Manhattan Community College - the zip code on the registration is wrong , and there are no apartments at that address at all either. Whatever it is, it isn't friendly.


Share this post

Link to post
Share on other sites

You should definately report this to your bank as well.


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.