• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Just got this Barclays Phishing email

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Anonymity // Privacy // Spam

View previous topic :: View next topic  
Author Message
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Fri Feb 27, 2004 12:14 pm    Post subject: Just got this Barclays Phishing email Reply with quote

it basically redirects to the real barclays page with a fake popup.

I managed to get the page before it redirects using wget.

thought some might be interested to see how it works. (this isnt an invitation to craft your own phishing scams)

Code:

<html>
<head>
<title>Barclays</title>
 
<script LANGUAGE="JavaScript">

// Browser Detection
isMac = (navigator.appVersion.indexOf("Mac")!=-1) ? true : false;
NS4 = (document.layers) ? true : false;
IEmac = ((document.all)&&(isMac)) ? true : false;
IE4plus = (document.all) ? true : false;
IE4 = ((document.all)&&(navigator.appVersion.indexOf("MSIE 4.")!=-1)) ? true : false;
IE5 = ((document.all)&&(navigator.appVersion.indexOf("MSIE 5.")!=-1)) ? true : false;

IE6 = ((document.all)&&(navigator.appVersion.indexOf("MSIE 6.")!=-1)) ? true : false;
ver4 = (NS4 || IE4plus) ? true : false;
NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;

IE5plus = IE5 || IE6;
IEMajor = 0;

if (IE4plus)
{
   var start = navigator.appVersion.indexOf("MSIE");
   var end = navigator.appVersion.indexOf(".",start);
   IEMajor = parseInt(navigator.appVersion.substring(start+5,end));
   IE5plus = (IEMajor>=5) ? true : false;
}

// Body onload utility (supports multiple onload functions)
var gSafeOnload = new Array();
function SafeAddOnload(f)
{
   if (IEmac && IE4)  // IE 4.5 blows out on testing window.onload
   {
      window.onload = SafeOnload;
      gSafeOnload[gSafeOnload.length] = f;
   }
   else if  (window.onload)
   {
      if (window.onload != SafeOnload)
      {
         gSafeOnload[0] = window.onload;
         window.onload = SafeOnload;
      }      
      gSafeOnload[gSafeOnload.length] = f;
   }
   else
      window.onload = f;
}
function SafeOnload()
{
   for (var i=0;i<gSafeOnload.length;i++)
      gSafeOnload[i]();
}

function isInt(numIn)
{
   var checknum = parseInt(numIn);
   return !isNaN(checknum);
}

function PUW_Init()
{
   if (gPopupWindow.CheckFrequency())
   {
      setTimeout("gPopupWindow.Show()",gPopupWindow.showDelay);
   }
}

function PUW_Show()
{
   var settings = "width="+this.width+",height="+this.height+",top="+this.top+",left="+this.left+",";
   settings += "scrollbars=" + ((this.scrollbars) ? "yes," : "no,");
   settings += "toolbar=" + ((this.toolbar) ? "yes," : "no,");
   settings += "location=" + ((this.locationbar) ? "yes," : "no,");
   settings += "menubar=" + ((this.menubar) ? "yes," : "no,");
   settings += "status=" + ((this.statusbar) ? "yes," : "no,");
   settings += "resizable=" + ((this.resizable) ? "yes" : "no");
   
   var newWin = window.open(this.url,this.name,settings);
   
   if (! this.ontop)
      window.focus();
}

function PUW_CheckFrequency()
{
   var shouldShow = this.frequency != 0;
   if (this.frequency > 0)
   {
      var allCookies = document.cookie;
      var start = allCookies.indexOf("PUWCount=");
      if (start >= 0)
      {
         var end = allCookies.indexOf(";",start);
         if (end < 0)
            end = allCookies.length;
         var freqStr = allCookies.substring(start+9,end);
         if (isInt(freqStr))
            this.frequency = parseInt(freqStr);
      }

      if (this.frequency>0)
         this.frequency--;
      else
         shouldShow = false;
         
      var exp = new Date();
      exp.setTime(exp.getTime()+this.renew*60*60000);
      document.cookie = "PUWCount="+this.frequency+ "; expires=" + exp.toGMTString();
   }
   
   return shouldShow;
}


function PopupWindow(url,width,height)
{
   this.width = 800;
   this.height = 633;
   this.top = 70
   this.left = 50
   this.name = "mypopupwin";
   this.url = url;
   this.showDelay = 2;
   this.frequency = 200; // how many times show per renewal time period
   this.renew = 1; // renew showing every x hours
   this.scrollbars= true;
   this.toolbar= false;
   this.statusbar= false;
   this.resizable = true;
   this.locationbar = false;
   this.menubar = false;
   this.ontop = false;
   

   
   this.Init = PUW_Init;
   this.Show = PUW_Show;
   this.CheckFrequency = PUW_CheckFrequency;
}

function PUWStart()
{
   gPopupWindow.Init();
}

SafeAddOnload(PUWStart);

gPopupWindow = new PopupWindow("1logon00.htm", 350, 150);
gPopupWindow.toolbar = false;
gPopupWindow.statusbar = true;
gPopupWindow.resizable = true;
gPopupWindow.ontop = true;

</script>
 </head>

<body bgcolor="#FFFFFF" text="#000000">

<META HTTP-EQUIV="Refresh" CONTENT="0; url=http://www.barclays.co.uk/"><div align="center">
  <p>&nbsp;</p>
</div>

</body>
</html>


the url in the email is
http://www.personal.barclays.co.ukgotolpfsplb@142.165.231.19:4925/b/index.htm

in the source of the popup clues are:

these funny tags
<!-- Vignette V/5 Thu Feb 26 13:36:14 2004 -->

the form is posted to
<form method="POST" action="12355600.php">

**MOD EDIT**

Browolf - I feel this topic should be more prominent, have made it a sticky - regards
Back to top
View user's profile Send private message
TinTin
Forum Fanatic
Forum Fanatic


Joined: 25 Apr 2002
Posts: 16777199


Offline

PostPosted: Sun Mar 07, 2004 11:49 am    Post subject: topic Reply with quote

You're absolutely right

Here is the original as posted here https://ibank.barclays.co.uk/olb/q/Welcome.do

SECURITY ALERT: Please read this important message
We are aware that some customers are receiving a message from an email address posing as Barclays Bank.

Instructions on the email advise you to follow a link to what appears to be a Barclays website where you are prompted to enter your personal details.
Barclays is in no way involved with this scam email and the website does not belong to us.

Barclays does not send any emails to customers requesting your security or any other confidential information. Please do not reply to any such emails or follow any links to websites claiming to be Barclays Online Banking.

ALWAYS check the website address at the top of your screen starts with 'https'. This lets you know the site is secure.
Please read our latest information and advice on Online Security


Last edited by TinTin on Sat Dec 17, 2005 7:59 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail MSN Messenger
ZCorker
Just Arrived
Just Arrived


Joined: 07 Nov 2003
Posts: 0


Offline

PostPosted: Sun Mar 07, 2004 8:34 pm    Post subject: Wget Reply with quote

May I ask what steps you took to capture the page before it redirects? More a point of curiosity. It might also help me in better understanding how to circumvent authorized redirects which can be a real problem.

I haven't tried wget, but looks like this is a program I should take a look at.

Thanks,
zcorker
<rjs4you(at)netzero.net>
Back to top
View user's profile Send private message
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Fri Apr 30, 2004 2:43 pm    Post subject: Reply with quote

using wget circumvents redirects because redirects are a client-side effect that wget doesnt support.

the windows port of wget is a dos program that just saves the file. no html interpretation is done.

all the phishing scams i've seen involve a fake popup and redirection to the real site. the ones i've seen lately have been running on compromised hosts.

if you use a proxy you have to set it as an enviroment variable before using wget

c:\> set http_proxy=myproxy:8080
Back to top
View user's profile Send private message
Anub!$
Just Arrived
Just Arrived


Joined: 23 Sep 2003
Posts: 1
Location: Computer Chair

Offline

PostPosted: Fri Apr 30, 2004 3:02 pm    Post subject: Just got this Barclays Phishing email Reply with quote

A man has been arrested for a case like this, it may be the same one.

Probably is actually.

Here is some more info:

http://www.sophos.com/spaminfo/articles/phishingbust.html
Back to top
View user's profile Send private message
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Fri Apr 30, 2004 3:23 pm    Post subject: Reply with quote

perhaps but the above code is almost identical to a barclays scam i got the other day. which i suspect is a much more sophisticated operation.

see this thread: http://www.security-forums.com/forum/viewtopic.php?t=13539&highlight=

infact just checked now and the code is identical, even the comments are the same.

whoever is running this has being doing so since feb. clearly just moving the code around. at the moment . the domain on the latest one is registered at
YESNIC CO. LTD. [www.yesnic.com]

a coincidence there, the site atm is running thru a korean host. yesnic have a korean version of their page.

yesnic are no stranger to controvery, after a quick google they've been involved in several domain name disputes involving korean citizens.
Back to top
View user's profile Send private message
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Wed May 05, 2004 3:31 pm    Post subject: Reply with quote

just got a nationwide phishing email

Code:

<html><body><p> <a href="http://www.nationwide.co.uk%2E%75%73%65%72%73%65%74%2E%6E%65%74:%34%39%30%33/%6E%77/%69%6E%64%65%78%2E%68%74%6D"> <img src="cid:6C0F0035.58BDF68E.93FFA922.DF54F0DF_csseditor" ALT="" border="0">
</a>
</p><p>
<font color="#FFFFF4">Romeo MGM Dr. Dree in 1849 Sure</font>
</p></body></html>


the obfuscated domain is almost the same as the barclays one

http://www.nationwide.co.uk.userset.net:4903/nw/index.htm

the userset domain seems have moved away from the korean school

the url without the port and file now gives a
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://www.personal.barclays.co.uk.userset.net/
The following error was encountered:
* Connection Failed
The system returned:
(111) Connection refused

but a traceroute leads to
Quote:

traceroute to www.nationwide.co.uk.userset.net (65.24.44.40), 30 hops max, 40 byte packets
3 ldn-b4-feth4-1.telia.net (213.248.75.65) 0.314 ms 0.246 ms 0.167 ms
4 ldn-bb2-pos5-2-0.telia.net (213.248.65.101) 0.370 ms 0.427 ms 0.417 ms
5 ldn-b2-pos8-0.telia.net (213.248.74.10) 1.532 ms 0.692 ms 0.495 ms
6 aol-01135-ldn-b2.telia.net (213.248.75.70) 0.731 ms 0.542 ms 0.378 ms
7 bb2-loh-P6-0.atdn.net (66.185.136.242) 0.698 ms 0.640 ms 0.629 ms
8 bb2-nye-P5-0.atdn.net (66.185.152.140) 72.528 ms 72.729 ms 72.507 ms
9 bb1-nye-P2-0.atdn.net (66.185.153.20) 72.658 ms 72.496 ms 72.735 ms
10 bb2-ash-P10-0.atdn.net (66.185.152.87) 73.843 ms 105.597 ms 73.648 ms
11 bb2-cin-P3-0.atdn.net (66.185.153.61) 91.878 ms 91.722 ms 91.726 ms
12 pop1-cin-P1-0.atdn.net (66.185.133.3) 92.169 ms 92.106 ms 92.333 ms
13 RR-Cincinnati.atdn.net (66.185.133.10) 92.346 ms 92.664 ms 92.481 ms
14 pos13-0.clmboh1-rtr3.columbus.rr.com (65.25.128.230) 95.299 ms 95.386 ms 95.394 ms
15 srp0-0.clmboh1-rtr1.columbus.rr.com (65.25.129.97) 95.720 ms 96.052 ms 95.707 ms
16 srp1-0.nwrmoh1-ubr1.columbus.rr.com (24.95.81.166) 96.788 ms 96.681 ms 96.834 ms
17 dhcp065-024-044-040.columbus.rr.com (65.24.44.40) 101.174 ms 101.851 ms 102.388 ms



we'll sooon have that shutdown Very Happy
Back to top
View user's profile Send private message
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Thu May 06, 2004 4:49 pm    Post subject: Reply with quote

just got a halifax one.

pointing at

www.halifax-online.co.uk.userset.net:4903/b/index.htm

but it doesnt seem to resolve properly.

infact all the traceroutes seem to get as far as
11 94 125 109 195.60.31.254 telehouse-gw-1.power.net.uk

then cant get any further, just timeouts..hmm how odd. wonder what that means. perhaps its been terminated already. heh it;s getting bad for them when the scams are down before the victims receive the email.
Back to top
View user's profile Send private message
carl04
Just Arrived
Just Arrived


Joined: 05 Jul 2004
Posts: 0


Offline

PostPosted: Wed Jul 07, 2004 8:42 pm    Post subject: . Reply with quote

what is email phishing?
Back to top
View user's profile Send private message
squidly
Trusted SF Member
Trusted SF Member


Joined: 07 Oct 2002
Posts: 16777215
Location: Umm.. I dont know.. somewhere

Offline

PostPosted: Thu Jul 08, 2004 10:34 pm    Post subject: Reply with quote

carl04 wrote:
what is email phishing?


phishing is when someone trys to make an email look like it comes from someplace you are supposed to trus, such as your bank, your ISP, and get you to give them some sensitive info from you.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Tue Nov 29, 2005 11:01 pm    Post subject: Reply with quote

talking of barclays phishing I've been getting an awful lot of these recently in my bt mail and at work. i have my bt mail forwarded to gmail which catches 95% of the spam. it seems to be distinguishing between spam and phish as a warning appears with the phish. well some of them. it warns on the barclays ones but not the halifax or lloyds ones. Got 6 today in total. 4 of them all came different compromised hosts but with the similarities of the port (680) and the path(/rock/x) where x is a single letter representing the bank e.g. l for lloyds, h for halifax. another one used port 780 instead.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Anonymity // Privacy // Spam All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register