The e-mail arrived from 81.252.149.105, with a PDF (shown left) attached (Dear Abbey Internet Bankiewng Holder.pdf), and the following bit of text;
You need to update your account information for more reasons:
1. A recent change in your personal information
(ie change of address).
2. Submitting invalid information during the initial enrollment process.
3. An inability to accurately verify your account information due to an internal error within our processors.
Please download the pdf documend and read the instructions.
Thanks,
Abbey Team
1. A recent change in your personal information
(ie change of address).
2. Submitting invalid information during the initial enrollment process.
3. An inability to accurately verify your account information due to an internal error within our processors.
Please download the pdf documend and read the instructions.
Thanks,
Abbey Team
Note, the original e-mail was in HTML format, with a reference to;
http://geocities.com/kent.eight8/StaticBS.gif
Which is simply the Santander Group (who own Abbey National), Abbey National logo. A screenshot of the HTML version is below.
Incase the PDF contained an exploit or such, I thought I'd analyze it before actually opening it, obviously, so got out PDFTK and uncompressed it (had to grab the latest version first as my copy of PDFTK was out of date, but I digress). Loading the uncompressed PDF in my editor, showed several interesting references to the scammers PC, such as;
C:\Documents and Settings\Suny12\Desktop\detoate\pozeabbey\abb534543534ey.png
C:\Documents and Settings\Suny12\Desktop\detoate\pozeabbey\images.jpeg
C:\Documents and Settings\Suny12\Desktop\detoate\pozeabbey\ima3232ges.jpeg
C:\Documents and Settings\Suny12\Desktop\detoate\pozeabbey\images.jpeg
C:\Documents and Settings\Suny12\Desktop\detoate\pozeabbey\ima3232ges.jpeg
Along with the following;
/Creator (Acrobat PDFMaker 9.0 for Word)
/Author (Cristi)
/Producer (Adobe PDF Library 9.0)
/ModDate (D:20091024165354+03'00')
/CreationDate (D:20091023002442+03'00')
/SourceModified (D:20091022204153)
/Author (Cristi)
/Producer (Adobe PDF Library 9.0)
/ModDate (D:20091024165354+03'00')
/CreationDate (D:20091023002442+03'00')
/SourceModified (D:20091022204153)
But the one I was looking for, was the target that the victim would be directed to, which in this case is;
http://www.silentpartneralert.com/nusoap/myonlineaccounts2.abbeynational/Logon.php?a=myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare
Once you've entered your credentials, you're taken via Gooodshot.php directly to the real Abbey National site at;
https://myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare
Looking at the source code for the phish, shows a hidden field that shows the phish was created with the "Mr-Brain" phishing kit.
<input type="hidden" name="niarB" value="0006c65696c697640766f696c612e6672">
I've already fired off an e-mail to the silentpartneralert.com (IP: 174.46.45.50 - customer.greendedicatedhost.com) hosting company. A copy of the e-mail, including the URL the victim is taken to, was also submitted to both PhishTank, and of course, Abbey National themselves.
No comments:
Post a Comment