Phishing scams are nothing new, we all know that. But how often do you check the security of your servers to ensure they can't be compromised to actually host these scams?
Obviously neither FastHosts nor Pipex check very often as one of each of their customers, have had their website compromised and used for an Abbey National phishing scam (see screenshot) - using the same exploit!.
The e-mail contains the usual rubbish;
The link in this case, leads to an XMLRPC sub-folder on pdss.co.uk, and according to vURL, uses a 302 redirect;
... to then lead to;
Notice the sub-folder? Yuppers, XMLRPC again. Pretty much a given that both servers were compromised using the same exploit. The companies of both websites have been notified, as have Abbey National themselves.
I did forward this to PhishTank, as I do with all phishing scams I receive, but for some reason, they cut off most of the URL, leaving it invalid;
So what of the phish itself? Well, if you enter your details on the first page, you are taken to;
Obviously however, our phisher didn't check his scam first, as entering your details here, is supposed to lead to loginfinish.php;
Which err, leads to a 403 ......... woops!
In this case, the problem could be solved by updating to the latest XMLRPC;
Hopefully this isn't the same one found in 2005 or FastHosts and Pipex have alot to answer for!
/edit: 10-10-08 12:46
I'm pleased to announce the semplice.co.uk site has been cleaned and is no longer hosting the phish :o)
/edit: 13-10-08 20:11
I'm happy to announce, I've just received a call from "Raj" at pdss.co.uk concerning this, and whilst it took a while (my laptop crashed during the call and I couldn't remember most of the details as my mind has been on other things), pdss.co.uk should also be cleaned up pretty soon.
Probably not surprising, I got the impression he thought I was after something by reporting this to them (I say not surprising because we're all well aware of those "researchers" that find exploits and require payment for reporting them to the affected site/vendor).
More embarrasing however, is that I've had to correct the articles title and content somewhat as the phish was directed toward Abbey National customers, not HSBC customers - apologies for the confusion (my fault for investigating multiple phishing scams at the same time).
/edit 14-10-08 16:44
I'm happy to report, pdss.co.uk has now been cleaned up.