I received an interesting Abbey National phish yesterday, that decided, instead of simply pointing me to a URL, they'd try a better method of evading suspicion and phish/spam etc filters.
The e-mail arrived from 18.104.22.168, with a PDF (shown left) attached (Dear Abbey Internet Bankiewng Holder.pdf), and the following bit of text;
Note, the original e-mail was in HTML format, with a reference to;
Which is simply the Santander Group (who own Abbey National), Abbey National logo. A screenshot of the HTML version is below.
Incase the PDF contained an exploit or such, I thought I'd analyze it before actually opening it, obviously, so got out PDFTK and uncompressed it (had to grab the latest version first as my copy of PDFTK was out of date, but I digress). Loading the uncompressed PDF in my editor, showed several interesting references to the scammers PC, such as;
Along with the following;
But the one I was looking for, was the target that the victim would be directed to, which in this case is;
Once you've entered your credentials, you're taken via Gooodshot.php directly to the real Abbey National site at;
Looking at the source code for the phish, shows a hidden field that shows the phish was created with the "Mr-Brain" phishing kit.
I've already fired off an e-mail to the silentpartneralert.com (IP: 22.214.171.124 - customer.greendedicatedhost.com) hosting company. A copy of the e-mail, including the URL the victim is taken to, was also submitted to both PhishTank, and of course, Abbey National themselves.