TSB phishing scams

Phishing scams, hijacking of TM accounts, keyloggers and all manner of other nasties. This is the place to report them and get help if you've been hit.
User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

TSB phishing scams

Post by digidog » Fri Dec 02, 2011 2:35 am

The usual type of phish but the first I've seen for TSB.
Dear Valued Customer,

This message is simply a notification to protect the security of your account
failure to update your account, will increase Or introduce more risk to harm it

To prevent such from occurring, we've set out a short cut for verifying process

See below for perusal, click to update your account.

Online settlement


Thank you for your supporting

© TSB BANK LIMITED 2008-2011.
Careful - live phishing site
http://www.theknowledge.org/uploads/ima ... bbank.html" onclick="window.open(this.href);return false;

The homepage of that site shows it's been...
HACKED!

'' Balina Kovayalan Çılgın Hamsi ''

#turkish hacker ~

@Darkdevilz.in / DarkCracker

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: TSB phishing scam

Post by Foggyone » Fri Dec 02, 2011 6:51 am

The form goes to http://www.itmasters.co.nz/wp-content/upgrade/menu.php" onclick="window.open(this.href);return false;

I phoned the owner, One John Simeon in Ponsonby. No answer so left him a message suggesting he clean out the file from his hacked account.

This morning.

Email from the site owner asking for clarification. Sent. The site is a provider of IT services (OOPS!), on the worlds slowest server.

A Little Later

Webmaster on the phone to confirm she has taken the offending file out, and has taken the whole site offline. It's excellent that the action was so speedy.

The hack may well have been done via Wordpress. I see the site uses Wordpress and the Tim Thumb plugin which was recently outed as having a vulnerability which could lead to site hacks.

The phishing page is still live, but now no longer loads the php file.

Digidog. Was TSB notified? If so, they are pretty slow in reacting.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Fri Dec 02, 2011 10:34 pm

I filed a SpamCop report and another to Google. These included the TSB address as a reference so they would
have been notified via SpamCop.

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: TSB phishing scam

Post by Foggyone » Sat Dec 03, 2011 1:36 am

The fake phishing page is still coming up, with no indication from Firefox that anything is amiss.

I can't be bothered advising TSB via their site as they only have one of those awful web submission forms beloved by bigger businesses. Sent an email to the Tech as shown on whois.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Sat Dec 03, 2011 3:01 am

When I view the site in FireFox I get the Google warning...
Reported Web Forgery!

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: TSB phishing scam

Post by Foggyone » Sat Dec 03, 2011 5:22 am

That's interesting.

My Firefox (8.0) under Linux is not showing anything. I better check the setup.

Later. Even with the appropriate boxes ticked under Security I'm still not showing any warning. I wonder if this is a side effect of Linux. I wouldn't have thought so!
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Update

Post by Foggyone » Sat Dec 03, 2011 9:59 pm

Firefox is reporting this site as a forgery (since mid evening yesterday).

http://www.itmasters.co.nz/" onclick="window.open(this.href);return false; came back on line, but when I checked the original phish site I found another file pointing to a file on itmasters. This file still existed so I contacted them again, and I see the site is down for more maintenance.

No doubt if a site is thoroughly compromised the cleanup can take time and effort. Kudos on itmasters in moving quickly on notice of the second file.

The second phish is here, and is for LloydsTSB. This file doesn't trigger Firefox warning.

Both the original file and the second are dated 2 December 2011.
The Knowledge net site is now showing
HACKED!

'' Balina Kovayalan Çılgın Hamsi ''

#turkish hacker ~

@Darkdevilz.in / DarkCracker
"The Knowledge" relates to the information that London taxi drivers need to learn to become licensed.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Sun Jun 03, 2012 10:04 pm

Implore you? Strictly advised? How very non-bank like.
Valued TSB Bank Customer,

You have an unconfirmed payment Pending on your account
Please verify your account information for payment approval

We implore you to follow the link below to verify your account
details.

ACCOUNT VERIFICATION
Careful: Live phishing site
http://linus.jaeger-herzog.ch/gov/homeb ... nz/online/" onclick="window.open(this.href);return false;

NOTE: You are strictly advised to match your information correctly
to avoid service suspension.

Thank you for your co-operation.
Regards
TSB Bank

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Re: TSB phishing scams

Post by digidog » Tue Jun 05, 2012 1:56 am

TSB seems to be the target de jour.
Unfortunately your TSB Card Number has been suspended.

The main reason for this action are

Your TSB Card Number has been accessed from a blacklisted location, Your TSB Card Number was entered wrongly three times.

To enable your TSB Card Number, You are required to provide your account details with that on our data base with our secured link below.

Link appears as: https://homebank.tsbbank.co.nz/online/" onclick="window.open(this.href);return false;
Actually goes to: http://ullalascb.com/images/homebank.ts ... login.html" onclick="window.open(this.href);return false;
Which redirects to the phishing site at:
http://facelap.com/imgs/homebank.tsbban ... ignOn.html" onclick="window.open(this.href);return false;
Careful: Live phishing site

Sorry for the inconvenience.

TSB Bank

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Oh, The Irony

Post by Foggyone » Tue Jun 05, 2012 8:16 am

From the phishing page comes this gem
Security Alert
There has been an escalation of email phishing scams requesting credit card details. Click for more information.
I guess they think it makes their site look authentic. The link goes to http://www.dia.govt.nz/diawebsite.nsf/w ... enDocument" onclick="window.open(this.href);return false;
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Re: TSB phishing scams

Post by digidog » Sat Jun 09, 2012 11:53 pm

Dear Customer,

Your internet banking profile requires update to work with our new server, so as protect you and your account from phishing and fraudulent activities.

Kindly validate your profile to keep your account safe.

Link looks like: https://homebank.tsbbank.co.nz/online/" onclick="window.open(this.href);return false;

But actually goes to: http://www.rmdistribution.fr/css/homeba ... SignOn.htm" onclick="window.open(this.href);return false;
Careful: Live phishing site

Thanks for choosing us.

TSB Bank Limited (NZ)

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Re: TSB phishing scams

Post by digidog » Sun Jun 10, 2012 12:30 am

And two more TSB phishing email - that's three so far today.

They link to: http://kaleokullari.com//date.php/" onclick="window.open(this.href);return false;

Which redirects to: http://www.rmdistribution.fr/depliants/ ... SignOn.htm" onclick="window.open(this.href);return false;
Careful: Live phishing site

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Re: TSB phishing scams

Post by digidog » Mon Jun 11, 2012 4:11 am

Yet another TSB phish... I'm going to collect a few in this post.

The email line: http://home.exetel.com.au/corplease/aus.php" onclick="window.open(this.href);return false; redirects to:

Careful: Live phishing sites
http://rdew.in/homebank.tsbbank.co.nz/SignOn.htm" onclick="window.open(this.href);return false; (11 June)
http://www.ampadelpilar.org/pdfs/homeba ... SignOn.htm" onclick="window.open(this.href);return false; (12 June)
http://www.evasion91.com/wp-content//th ... SignOn.htm" onclick="window.open(this.href);return false; (2 copies - 12 June)

http://safamarwafoods.com/images/homeba ... SignOn.htm" onclick="window.open(this.href);return false; (2 copies - 13 June)

14 June
Three initial email links point to:
http://kaleokullari.com//media/cov.php" onclick="window.open(this.href);return false; (14 June)
http://www.rmdistribution.fr/date.php" onclick="window.open(this.href);return false; (14 June)
http://www.ampadelpilar.org/pdfs/inc.php" onclick="window.open(this.href);return false; (14 June)

This batch all redirect to the actual phishing sites as well:
http://safamarwafoods.com/includes/home ... SignOn.htm" onclick="window.open(this.href);return false; (14 June)
http://rajputmetals.com/gallery/homeban ... SignOn.htm" onclick="window.open(this.href);return false; (14 June)

http://cpvcursos.com.br/css.php" onclick="window.open(this.href);return false; redirects to:
http://www.fcbibirevo.ru/homebank.tsbba ... SignOn.htm" onclick="window.open(this.href);return false; (14 June)

http://www.tourgarage.com//wp-content/s ... co.nz.html" onclick="window.open(this.href);return false; redirects to:
http://chantalnc.com/v2//wp-content/upl ... SignOn.htm" onclick="window.open(this.href);return false; (14 June)

http://www.rmdistribution.fr/Rm/aus.php" onclick="window.open(this.href);return false; redirects to:
http://pinoscervinocatering.ch/images/h ... SignOn.htm" onclick="window.open(this.href);return false; (2 copies - 17 June)

Two phishing scams from NZ IP addresses this morning - Actrix and kcbbs.gen.nz
http://www.kaleokullari.com//oku.php" onclick="window.open(this.href);return false; redirects to:
http://www.sanelyurdu.com/language/home ... SignOn.htm" onclick="window.open(this.href);return false; (2 copies - 19 June)

http://www.steronlocksmiths.co.uk/v2/cli/display.php" onclick="window.open(this.href);return false; redirects to:
http://m2ptechnologies.com/images/homeb ... SignOn.htm" onclick="window.open(this.href);return false; (19 June)

The mp2 site is based in Nigeria (of course)!

http://www.careercruise.com/oku.php" onclick="window.open(this.href);return false; redirects to:
http://www.kloi.dk/images/homebank.tsbb ... ervlet.htm" onclick="window.open(this.href);return false; (2 copies - 21 June)

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Re: TSB phishing scams

Post by digidog » Sun Jun 24, 2012 12:34 am

TSB seems to be under heavy attack lately... I received another two copies of this scam today.

http://www.careercruise.com/hag.php" onclick="window.open(this.href);return false; (still being exploited) redirects to:
http://www.jyo.jp/lib/homebank.tsbbank. ... ervlet.htm" onclick="window.open(this.href);return false; (2 copies - 24 June)

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: TSB phishing scams

Post by Foggyone » Sun Jun 24, 2012 4:12 am

Still live and no warning.

Drops you straight into TSB login page which is an exact copy of the scam page (except for the URL).
Google, the answer to so many questions!
-----------------------------------------------------

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest