trickery.net  

Go Back   trickery.net > Technical > Software & Security

Reply
 
Thread Tools
Old 04-May-2010, 17:13   #1
[LF]Mont
Madmontaholic
[LF]Mont's Avatar
Join Date: Nov 2003
Posts: 1,524
[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute
HSBC threat

Hey guys, just wondering what you make of this phishing scam i had with a user who was trying to access the HSBC online banking, I put a document together here:

http://www.madmont.com/hsbc/index.htm
__________________
http://www.madmont.com
[LF]Mont is offline  
 Madmont 
Reply With Quote
Old 04-May-2010, 17:20   #2
Bilb
Amazeballs!
Bilb's Avatar
Join Date: Oct 2003
Location: Elite Elevated Equine Division
Posts: 11,283
Bilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond repute
Get the colleague to login from home and change their security details ... NOW.

Then contact HSBC for information.
Bilb is offline  
Send a message via Skype™ to Bilb  jarvthelegend 
Reply With Quote
Old 04-May-2010, 20:16   #3
The Dark One
meh
The Dark One's Avatar
Join Date: Oct 2003
Posts: 8,113
The Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond repute
Some info based on Homer spotting the threat

http://garwarner.blogspot.com/2010/0...-zeus-bot.html
The Dark One is offline  
Reply With Quote
Old 04-May-2010, 21:36   #4
[LF]Mont
Madmontaholic
[LF]Mont's Avatar
Join Date: Nov 2003
Posts: 1,524
[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute
Dont worry it was the first thing I suggested she do when she told me about it.

With the Zeus BOT it directs you to a similiar looking hsbc address (hsbc.co.uk.dezzzz1.com.pl/1/2 etc) but the address is valid throughout and stays at hsbc.co.uk which is what is strange.
__________________
http://www.madmont.com
[LF]Mont is offline  
 Madmont 
Reply With Quote
Old 04-May-2010, 22:38   #5
Nomad
i fear no midget
Nomad's Avatar
Join Date: Feb 2007
Posts: 10,572
Nomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond repute
Quote:
Originally Posted by ************** View Post
...but that screen is exactly what I have seen when infecting a system),...
you be zeus!!!111"
Nomad is offline  
Reply With Quote
Old 04-May-2010, 22:52   #6
[LF]Mont
Madmontaholic
[LF]Mont's Avatar
Join Date: Nov 2003
Posts: 1,524
[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute
the strange thing is though that it fails to send the data i think, it comes up with the error about access denied, our web guy reckons its something to do with it being on HTTPS. I checked the hosts file and there was nothing in there. It looks like possibly an infected IE somehow, but its certainly the cleverest piece of malware i have seen, gets through all AV/malware scans, and somehow maintains the correct address in the address bar. I will be wiping her computer when I have finished looking into it ,but I would like to find out how its actually doing it before i wipe away any evidence.
__________________
http://www.madmont.com
[LF]Mont is offline  
 Madmont 
Reply With Quote
Old 05-May-2010, 00:00   #7
[LF]Mont
Madmontaholic
[LF]Mont's Avatar
Join Date: Nov 2003
Posts: 1,524
[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute
Cool mate, cheers. I work for our user support team and have to liaise between users and the system guys to both advise systems what changes we need to make to our client and then give info out to the users on what to watch out for etc...
__________________
http://www.madmont.com
[LF]Mont is offline  
 Madmont 
Reply With Quote
Old 05-May-2010, 02:52   #8
Scrobbs
Sunnyvale Supervisor
Scrobbs's Avatar
Join Date: Oct 2003
Location: In the pipe, five by five.
Posts: 16,496
Scrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond repute
Heh

__________________
http://bit.ly/debatethebill
Scrobbs is offline  
Reply With Quote
Old 05-May-2010, 10:45   #9
pHk
lolzipan
pHk's Avatar
Join Date: Jun 2005
Location: Belgium
Posts: 3,458
pHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond repute
Slap Wireshark in between and have a look to whether it actually sends the data or not.

Seems to be engineered for IEX only, so it might be tricking IEX directly (via the OS, not the webpage) into displaying the proper URL's. That or clever JavaScript that changes the URL when it has loaded the malicious page.
pHk is offline  
Reply With Quote
Old 05-May-2010, 10:49   #10
Scrobbs
Sunnyvale Supervisor
Scrobbs's Avatar
Join Date: Oct 2003
Location: In the pipe, five by five.
Posts: 16,496
Scrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond repute
Nothing to do with me. It was just like that...
__________________
http://bit.ly/debatethebill
Scrobbs is offline  
Reply With Quote
Old 05-May-2010, 11:35   #11
Nomad
i fear no midget
Nomad's Avatar
Join Date: Feb 2007
Posts: 10,572
Nomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond reputeNomad has a reputation beyond repute
Quote:
Originally Posted by pHk View Post
...Seems to be engineered for IEX only, so it might be tricking IEX directly (via the OS, not the webpage) into displaying the proper URL's. That or clever JavaScript that changes the URL when it has loaded the malicious page.
i only ever got up to ie8 and i don't use it so should be safe then, that and i don't bank with hsbc, forever midland imo, they ruined a good thing, griffins need a home too
Nomad is offline  
Reply With Quote
Old 05-May-2010, 13:46   #12
[LF]Mont
Madmontaholic
[LF]Mont's Avatar
Join Date: Nov 2003
Posts: 1,524
[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute[LF]Mont has a reputation beyond repute
tried that MS Network Monitor and it didnt send any other traffic other than to the HSBC site while I was attempting to login
__________________
http://www.madmont.com
[LF]Mont is offline  
 Madmont 
Reply With Quote
Old 05-May-2010, 19:31   #13
The Dark One
meh
The Dark One's Avatar
Join Date: Oct 2003
Posts: 8,113
The Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond reputeThe Dark One has a reputation beyond repute
Would something like Rapport have flagged this as being iffy?
The Dark One is offline  
Reply With Quote
Reply

Go Back   trickery.net > Technical > Software & Security


Similar Threads
Thread Thread Starter Forum Replies Last Post
Terrorist Threat Update! Laz Jokes & Humour 3 25-Jul-2008 21:55
Iran Is No Longer a Threat? maRto Current Affairs 37 05-Dec-2007 19:13
Warrior tank guide Bonesaw World of Warcraft 10 23-Apr-2005 11:59
Cheeky HSBC Scammers Q-Target Software & Security 2 26-Oct-2004 15:54
X - The Threat FAQ EvilGrin Forumless Games 0 12-Mar-2004 18:51

Users Viewing Thread: 1 (0 members and 1 guests)
 

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 13:29.


Powered by vBulletin® Version 3.7.0 Release Candidate 3
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright 2003 - 2013, trickery.net