Ok, so I open up today’s spam mail folder and there at the top of the queue is a phishing email ‘from’ the NatWest Bank.
Clicking on the "log in" button takes you to a perfect replica of the NatWest site with a page for visitors to enter in their information to ‘verify’ their account.
The dead give away was the URL contained a non-NatWest looking domain. What caught my eye this time, was the fact that I recognised the website that had been hacked.
http://www.companyA.com/folder/folder/natwest.com
rather than
http://www.natwest.com
Rather than set up their own web server to ‘host’ the target bank web sites, one method the bad guys employ is to use a ‘hacked’ website.
In this case, the bad guys had obviously hacked their way into "Company A’s" web server (who being an innocent party here, will remain anonymous).
They then uploaded their imitation "NatWest" bank site to which they would direct users from within the phishing email.
In this case, the phishing website would email any data entered into the fake form back to a central account which would be read by the attackers.
At the time of opening this email this morning, it already being detected by several anti-phishing filters, so at least those users would have been protected. (Note: If you haven’t installed McAfee SiteAdvisor toolbar for Firefox or IE, then go do it now. It’s free and it works).
Out of interest and partly because I recognised the name of "Company A", I went to their ‘proper’ web pages and looked for a contact number.
I gave them a ring and asked if they did their web development in house to which they confirmed, so I asked to be put through to that department.
I then asked the guy who answered if he knew that their web server had been compromised and that a NatWest bank phishing site had been installed on their server.
Whilst denying that any such thing could ever happen because they have every protection under the sun installed on their servers, I gave him the URL to the fake NatWest site.
The silence was deafening.
Needless to say, the fake NatWest website was taken down right there and then, (in fact I wouldn’t be surprised if he pulled the damn plug out of the wall he sounded that panicked!, except it was being hosted on a server based in Germany run by a well known popular web hosting company)
My main point is, the email had been out there in the wild for at least 12 hours, delivered to millions if not 100’s of millions of email accounts.
It had already been reported by a significant number of users/visitors as a phishing web site, it already existed on multiple blacklists, yet no one had thought to actually ring the number of the ‘proper’ website and inform them.
Even the "whois" information on the main website had contact information.
The guy who had access to all the contact email addresses said they had received no reports whatsoever.
Doesn’t anyone remember how to use the phone these days?
One quick phone call.
5mins later, one less phishing website.
Now I know, this isn’t always as simple as this. But you’d like to think someone would at least try.
(Note: I would not recommend anyone clicking on links in Phishing or spam emails or in fact any link in any email that you don’t know who it came from or why. Some emails contain tracking codes to tell the ‘bad guys’ just who is clicking, and you could open yourself up to a barrage of spam/phishing mails by confirming someone exists at the end of the email address they sent. Not only that, but the web sites could also carry malware designed to infect your computer. So unless you know what you are doing, don’t ever click any spam or phishing emails no matter how curious you are!).
