Blog for hpHosts, and whatever else I feel like writing about ....

Saturday 24 October 2009

Abbey National phish, via PDF

I received an interesting Abbey National phish yesterday, that decided, instead of simply pointing me to a URL, they'd try a better method of evading suspicion and phish/spam etc filters.

The e-mail arrived from 81.252.149.105, with a PDF (shown left) attached (Dear Abbey Internet Bankiewng Holder.pdf), and the following bit of text;

You need to update your account information for more reasons:

1. A recent change in your personal information
(ie change of address).

2. Submitting invalid information during the initial enrollment process.

3. An inability to accurately verify your account information due to an internal error within our processors.

Please download the pdf documend and read the instructions.

Thanks,
Abbey Team


Note, the original e-mail was in HTML format, with a reference to;

http://geocities.com/kent.eight8/StaticBS.gif


Which is simply the Santander Group (who own Abbey National), Abbey National logo. A screenshot of the HTML version is below.



Incase the PDF contained an exploit or such, I thought I'd analyze it before actually opening it, obviously, so got out PDFTK and uncompressed it (had to grab the latest version first as my copy of PDFTK was out of date, but I digress). Loading the uncompressed PDF in my editor, showed several interesting references to the scammers PC, such as;

C:\Documents and Settings\Suny12\Desktop\detoate\pozeabbey\abb534543534ey.png
C:\Documents and Settings\Suny12\Desktop\detoate\pozeabbey\images.jpeg
C:\Documents and Settings\Suny12\Desktop\detoate\pozeabbey\ima3232ges.jpeg


Along with the following;

/Creator (Acrobat PDFMaker 9.0 for Word)
/Author (Cristi)
/Producer (Adobe PDF Library 9.0)
/ModDate (D:20091024165354+03'00')
/CreationDate (D:20091023002442+03'00')
/SourceModified (D:20091022204153)


But the one I was looking for, was the target that the victim would be directed to, which in this case is;

http://www.silentpartneralert.com/nusoap/myonlineaccounts2.abbeynational/Logon.php?a=myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare



Once you've entered your credentials, you're taken via Gooodshot.php directly to the real Abbey National site at;

https://myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare

Looking at the source code for the phish, shows a hidden field that shows the phish was created with the "Mr-Brain" phishing kit.

<input type="hidden" name="niarB" value="0006c65696c697640766f696c612e6672">


I've already fired off an e-mail to the silentpartneralert.com (IP: 174.46.45.50 - customer.greendedicatedhost.com) hosting company. A copy of the e-mail, including the URL the victim is taken to, was also submitted to both PhishTank, and of course, Abbey National themselves.

No comments: