Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Who's got it? Who's giving it away? How to protect your privacy and steal it from other people. For intellectual privacy, personal privacy, and blackhats alike... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Banks training their users to become phishing victims.
Posted by: Jeffuk
Date: July 14, 2008 05:29PM

Just logged into my online account on halifax>co>uk to see:

"Please update your contact details"

A screen I've never seen before, which made me instantly concerned, asking for personal information.. looking at it in detail.. I also notice that the URL for this page, and all the account management is now halifax-online>co>uk ... "omg how has someone pulled this off, this MUST be a scam."..

I read the page, and it says further down 'Halifax may contact you to confirm your online activity, if we do not get a response we may suspend your online account"... woah.. that could be taken straight from a phishing email, this can't be real, but I typed the URL myself, and this is a fresh install of firefox 3.0, it can't be compromised already.

It turns out... that all of this is genuine. The site is SUPPOSED to work like this. It's supposed to redirect you to another domain without warning, supposed to ask you to enter random bits of information, and supposed to enforce the oldest trick in the phishers arsenal, telling you that if you don't respond to unsolicited contact from the bank, YOU may lose out by having your accounts blocked.

Surely someone, somewhere, deserves firing over something like this... But I bet they won't be.

Options: ReplyQuote
Re: Banks training their users to become phishing victims.
Posted by: Matt Presson
Date: July 14, 2008 08:20PM

In my opinion this needs to be conveyed to your bank. I agree, this is very disconcerting.

-----------------------------------------------------------------------
(ú=(θ='',[µ=!(Φ=!θ+{})+θ,Θ=Φ[ø=+!θ]+Φ[+θ],ĩ=µ[ø],Ø=µ[º=ø+++ø],Ç=Φ[º+ø],à=ú[Φ[º+º]+Φ[+θ]+Ç+ĩ]][Ø+Ç+Θ])())[ĩ+à('•êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: Banks training their users to become phishing victims.
Posted by: thrill
Date: July 14, 2008 09:59PM

I'd find an XSS and re-redirect the users to YOUR site for safer keeping.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Banks training their users to become phishing victims.
Posted by: Jeffuk
Date: July 15, 2008 02:25AM

Matt Presson Wrote:
-------------------------------------------------------
> In my opinion this needs to be conveyed to your
> bank. I agree, this is very disconcerting.



It will be, busy on data analysis today (Boooring....) but after I've got that out the way I'll start drafting an e-mail setting out the actual implications to the bank (and how it hits their pocket!)

Options: ReplyQuote
Re: Banks training their users to become phishing victims.
Posted by: Matt Presson
Date: July 15, 2008 12:27PM

Be careful in how much "data analysis" you do unless it is purely research. There have been numerous accounts of people jailed for doing "data analysis" to help drive their point across only to be prosecuted before they told the company what they were doing.

-----------------------------------------------------------------------
(ú=(θ='',[µ=!(Φ=!θ+{})+θ,Θ=Φ[ø=+!θ]+Φ[+θ],ĩ=µ[ø],Ø=µ[º=ø+++ø],Ç=Φ[º+ø],à=ú[Φ[º+º]+Φ[+θ]+Ç+ĩ]][Ø+Ç+Θ])())[ĩ+à('•êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: Banks training their users to become phishing victims.
Posted by: Jeffuk
Date: July 28, 2008 09:57AM

(trying) to go public.. will link if it gets published.

Jeff.

Options: ReplyQuote
Re: Banks training their users to become phishing victims.
Posted by: id
Date: July 28, 2008 02:05PM

Let me know if you need any help.

-id

Options: ReplyQuote
Re: Banks training their users to become phishing victims.
Posted by: rsnake
Date: August 03, 2008 10:10AM

That does really suck. I've seem some really dumb mistakes that banks make on a regular basis. This is way up there though. You're right to call it out and help them understand the ramifications.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.