Basically, with our bank (HSBC UK), when you access the Internet Banking in Internet Explorer 8, the login page goes through ok, with SSL enabled and the green address bar, until the page that requests the random digits from the security code and my date of birth.
If the security software that our bank recommends (Trusteer Rapport) is enabled, when you submit the page, the next page contains a broken HSBC page and the rapport log shows "IP adress 18.104.22.168 doesn't match HSBC". It appears that Rapport tries to intervene, but fails...
The page URL then turns to hxxp://fred6rer.net/1/2/portal/5ee2aa71870dada9032b520ce9728047.php?id=65940D2548A7316FD91C8C91A1E2F4E8&u=aHR0cHM6Ly93d3cuaHNiYy5jby51ay8xLzIvO2pzZXNzaW9uaWQ9MDAwMF9CM0N4S09DNTlPSWpSeldZaGVrUVYyOjE0ZXQ1bTh0Mztqc2Vzc2lvbmlkPTAwMDBfQjNDeEtPQzU5T0lqUnpXWWhla1FWMjoxNGV0NW04dDM/aWR2X2NtZD1pZHYuQ3VzdG9tZXJNaWdyYXRpb24=
This is obviously a phishing attempt, especially when looking at the domain more closely, reveals that the primary name server of fred6rer.net is NS1.ZZ8NS.COM, which is registered with DOTNAME KOREA CORP (http://www.dotname.co.kr)
if Rapport is disabled and you try to log in (using made-up login details), after entering the digits from the security code and date of birth, the following page is a replica of the HSBC site, but with a phishing message...
It states that the digits you entered weren't recognised and asks you to enter the full security code in the box provided. This page shows the URL as hsbc.co.uk, starting with https:// but there is no padlock or green address bar.
This only occurs on Internet Explorer, not Firefox. With Firefox, when you try to log in (with incorrect details), the final stage of the login just states that the details were incorrect, which is the correct thing that should happen.
I then wanted to see if this affected other banks, so I tried going to another bank (Lloyds TSB - which we are not customers with) and a similar thing happens, the login page asks first for random digits and the SSL shows the green bar to show the site is safe, but when you submit that page, it asks for you memorable place, phone banking security code and date of birth.
I am using Avira Antivirus, Spybot, Malwarebytes Antimalware and I've just installed Windows Defender. They say they have removed everything they found, but this still happens.
I ran HijackThis and I can't see anything untoward. I ran LSPFix as I read that LSPs can intercept traffic. I want to know how can malware do this , while still show a valid URL for the bank and why is it only in Internet Explorer. Don't LSPs affect all browsers?
I am going to format the hard drive and reinstall Windows, but I just want to get to the bottom of how this malware is working.
Edited by Tarun, 03 March 2010 - 11:58 AM.
Nulled link to phishing site