Blog for hpHosts, and whatever else I feel like writing about ....

Friday 10 October 2008

Abbey National Phish - or why you should check your servers security!

Phishing scams are nothing new, we all know that. But how often do you check the security of your servers to ensure they can't be compromised to actually host these scams?

Obviously neither FastHosts nor Pipex check very often as one of each of their customers, have had their website compromised and used for an Abbey National phishing scam (see screenshot) - using the same exploit!.

The e-mail contains the usual rubbish;

Abbey Bank<http://www.abbey.com/CsAppsExp/Abbey/Internet/Abbey/img/home_top_1.gif>

Dear Valued Customer,

Abbey Bank has been receiving complaints from our customers for unauthorized use of the Abbey Online Banking accounts. As a result we are making an extra security check on all of our Customers account in order to protect their information from theft and fraud.

Due to this, you are requested to follow the provided steps and confirm your Online Banking details for the safety of your Accounts.

Follow this link to confirm your details <http://www.pdss.co.uk/xmlrpc/includes/servlet/myonlineaccounts2.abbeynational.co.uk/process_login/?CLIENT_SESSION_ID=48f79036251a6e801a60a623b4d0e35648f79036251a6e801a60a623b4d0e35648f79036251a6e801a60a623b4d0e356>

However, Failure to do so may result in temporary account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Bank Management
Abbey Bank
Code #231623483


The link in this case, leads to an XMLRPC sub-folder on pdss.co.uk, and according to vURL, uses a 302 redirect;

http://vurl.mysteryfcm.co.uk/?url=133690

... to then lead to;

http://www.semplice.co.uk/xmlrpc/includes/servlet/myonlineaccounts2.abbeynational.co.uk/process_login/?CLIENT_SESSION_ID=48f79036251a6e801a60a623b4d0e35648f79036251a6e801a60a623b4d0e35648f79036251a6e801a60a623b4d0e356

Notice the sub-folder? Yuppers, XMLRPC again. Pretty much a given that both servers were compromised using the same exploit. The companies of both websites have been notified, as have Abbey National themselves.

I did forward this to PhishTank, as I do with all phishing scams I receive, but for some reason, they cut off most of the URL, leaving it invalid;

http://www.phishtank.com/phish_detail.php?phish_id=523909&frame=site

So what of the phish itself? Well, if you enter your details on the first page, you are taken to;

http://www.semplice.co.uk/xmlrpc/includes/servlet/myonlineaccounts2.abbeynational.co.uk/process_login/AmendContactDetails.php


Obviously however, our phisher didn't check his scam first, as entering your details here, is supposed to lead to loginfinish.php;


Which err, leads to a 403 ......... woops!

In this case, the problem could be solved by updating to the latest XMLRPC;

http://sourceforge.net/project/showfiles.php?group_id=34455&package_id=26601

Hopefully this isn't the same one found in 2005 or FastHosts and Pipex have alot to answer for!

/edit: 10-10-08 12:46

I'm pleased to announce the semplice.co.uk site has been cleaned and is no longer hosting the phish :o)

/edit: 13-10-08 20:11

I'm happy to announce, I've just received a call from "Raj" at pdss.co.uk concerning this, and whilst it took a while (my laptop crashed during the call and I couldn't remember most of the details as my mind has been on other things), pdss.co.uk should also be cleaned up pretty soon.

Probably not surprising, I got the impression he thought I was after something by reporting this to them (I say not surprising because we're all well aware of those "researchers" that find exploits and require payment for reporting them to the affected site/vendor).

More embarrasing however, is that I've had to correct the articles title and content somewhat as the phish was directed toward Abbey National customers, not HSBC customers - apologies for the confusion (my fault for investigating multiple phishing scams at the same time).

/edit 14-10-08 16:44

I'm happy to report, pdss.co.uk has now been cleaned up.

No comments: