More AIB Scams

WARNING: This blog contains some links to phishing sites.

I'm sure I was not the only person to wake up this morning to find this in my mailbox - a delightful little email informing me that my AIB account had been "temporarily limited".

As a concerned AIB customer I obviously have when my account gets "temporarily limited" (whatever the hell that means). Needless to say the email accounts@aib.ie looks legitimate, but changing any field in an email (especially the From field) is childs play. Also they specifically ask the victim not to reply to the mail (no need to let AIB know there is a new scam doing the round after all)

So lets take a look at the actual link I would need to click on to "resolve the problem"

http://zdesign.com/aibinternetbanking.aib.ie/login.htm

See what they did there? Clever eh... no not particularly.

Before we go look at the dodgy domain lets have a look at what the phishing site actually looks like - see can you figure out which is the real page:



Pretty well done isn't it - needless to say it is the one on the left (the one which does not warn you not to click on fraudulent emails). All of the images are loaded directly from AIB, and all of the links with the exception of the next button also point to legitimate AIB pages. I'm not sure if AIB monitors for external sites linking to their internet banking images, but it would certainly be a useful tool for identifying these types of phishing sites.

After a user enters their registration number, they are prompted for 3 digits of their pin number as is normal procedure for AIB logins. However instead of been logged into their account, they are then brought to a very non-AIB looking page which ask for all sorts of information including Credit Card details and the person's full pin code:

http://zdesign.com/aibinternetbanking.aib.ie/data.htm

Once you kindly provide the scammer with this information you are informed that someone may ring you shortly to confirm your details and to have your code card ready, before being redirected to the real AIB site. As I did not bother entering any real data (and I assume the scammer would check if my pin code worked before ringing me to grab all my code card details), I'm unsure if the attacker would actually really follow up with a call.

So there you have it - pretty standard phishing scam - lets looks at some of the details about the actual site used however.

First of all http://zdesign.com/ seems to be a legitimate design company, the wayback engine shows their sites existance since 1998. As such it looks like their site was compromised and the phishing scam was uploaded to their webserver. The webserver is not exclusive to ZDesign, there are plenty of other companies running websites on it, so it obviously a shared hosted server.

I had a look at some of the other companies to see if they had been compromised in a similar way, but none that I checked appeared to have been. What most likely happened in this case was that one of ZDesigns employees machines became infected, that person had access to their webserver (probably FTP access), and the malware simply stole the credentials. These credentials would then have been sold in bulk (normally 10,000 at a time) to a seperate criminal gang, who in turn sell compromised sites to a third phishing gang. Ah the joys of modern day criminal malware writers.

Anyhow - if you see one of these emails, ignore it or better yet delete it. In the mean time I've contacted AIB, ZDesign and IRISS (Irish CERT). I've also blocked the URL for any Trend Micro customers.

Happy long weekend everyone :)