Permanent TSB Phishing scam.

dlofnep · 29-04-2011 3:21pm #1

Just a heads up, the following site which was registered today is being used to phish TSB account details.

http://www.update-open24.org

Just by the other domains registered to the server, I'd say it's being used for an awful amount of dodgy activity. Make sure to stay well clear of the above site, or your details will be stolen.

h57xiucj2z946q · 29-04-2011 3:53pm

Might be interesting to take a snoop around on their site.

h57xiucj2z946q · 29-04-2011 5:25pm

Reported it here:

http://www.google.com/safebrowsing/report_phish

h57xiucj2z946q · 29-04-2011 5:37pm

Firefox blocks it now.

dlofnep · 29-04-2011 5:49pm

Google Chrome too. Thanks

h57xiucj2z946q · 29-04-2011 5:49pm

Wheheh

Edit: that log contained a link to possible real accounts, although most look fake.

First IP's to open the accounts file are probably the owners. I should really report the access.log and accounts file to garda.

dlofnep · 29-04-2011 5:53pm

Send PM

This server has HEAPS of scam-websites. Is there anything we could do to report by ip address rather than a domain?

h57xiucj2z946q · 29-04-2011 5:57pm

They got some peoples details, im gonna pass these onto TSB and Garda.

dlofnep · 29-04-2011 6:05pm

Good man. Did you get it through SQLi? I was going to have a poke myself but too busy today.

h57xiucj2z946q · 29-04-2011 6:17pm

Nope I will explain soon, they are pretty silly to be honest.

Their site is 503 now anyway. Also you can get the IP of the person reading the accounts file over and over!

h57xiucj2z946q · 29-04-2011 6:34pm

I sent off the logs to the garda and tsb, just waiting for a reply now.

Redshift · 29-04-2011 6:41pm

Liana Swift Goalie wrote: »

I sent off the logs to the garda and tsb, just waiting for a reply now.

Good Man Damo, Seriously good job there:)

h57xiucj2z946q · 29-04-2011 6:44pm

There was about 25 accounts logged, only about 10 of them were legit data, the rest were swear words about people who realised it was a scam.

dlofnep · 29-04-2011 6:45pm

Damo the hero!

h57xiucj2z946q · 29-04-2011 6:45pm

Should I email everyone who had data stole, or leave it up to the guardi/tsb now?

dlofnep · 29-04-2011 6:47pm

Liana Swift Goalie wrote: »

Should I email everyone who had data stole, or leave it up to the guardi/tsb now?

Sent out a friendly e-mail, just incase. It was one of my friends who was conned that highlighted the site to me. Tell them to contact their local bank, and that they might possibly have to cancel their card.

Redshift · 29-04-2011 7:40pm

Liana Swift Goalie wrote: »

Should I email everyone who had data stole, or leave it up to the guardi/tsb now?

If it was me i'd appreciate an email, just make sure they don't think it was you that set up the site.

h57xiucj2z946q · 29-04-2011 7:45pm

Redshift wrote: »

If it was me i'd appreciate an email, just make sure they don't think it was you that set up the site.

Sent of a mail, one bounced back. That site seems to be flushed from DNS tables now.

h57xiucj2z946q · 29-04-2011 7:54pm

Was hosted on a Yahoo server in California. Bank detail log files were been accessed from IP in Scottsdale, AZ, an online store (possibly also compromised)

Speaking of Scottsdale, I spent a day in Old Town, Scottsdale, AZ in March. Pretty nice place.

h57xiucj2z946q · 30-04-2011 2:10pm

No email reply from anyone yet.

They had a lot of the OS directories sym-linked in their web root for some reason, most apache user didn't have permission to read, however /logs and /tmp were viewable.

Their apache access.log was in /logs. This log file gave away the location of the files they were storing peoples data in as they kept accessing them over and over again and you could see their GET requests (and IP

). These files were also accessible over www.

mike65 · 30-04-2011 2:25pm

Opera says fraud site.

jimbooth · 10-05-2011 1:32pm

just to add to this, I got a text message today from "open24" saying my account has been suspended and to log onto "www.open24-update.org"
have notified the tsb but these guys are getting more up to date very quickly.
Also How did they get my number? and know I was a tsb customer??

h57xiucj2z946q · 10-05-2011 1:57pm

jimbooth wrote: »

just to add to this, I got a text message today from "open24" saying my account has been suspended and to log onto "www.open24-update.org"
have notified the tsb but these guys are getting more up to date very quickly.
Also How did they get my number? and know I was a tsb customer??

They reversed the domain, last time it was

"www.update-open24.org"

Exact same dumb websign before I see! Logs and everything publically viewable.

h57xiucj2z946q · 10-05-2011 2:12pm

Reported to: http://www.google.com/safebrowsing/report_phish/

dlofnep · 10-05-2011 3:08pm

Good man Damo

dlofnep · 10-05-2011 3:08pm

Looks like the site is taken down.

Redshift · 18-05-2011 12:22am

Aib This time.
http://www.aib-personal.org

Edit, Sent Logs and Data file to Gardai and AIB - hope they look at their email, as before lots of duds and bad language but some of it looks real :0/

dlofnep · 18-05-2011 1:02am

Saw that - I sent on the logs and data to AIB also today.

motorbikemania · 22-06-2011 3:46pm

got a text from 086 3652358 today suggesting i use www.permanenttsb-updates.org ...... just to let y'all know!

KoolKid · 22-06-2011 4:02pm

Filled that in with all false info. They couldn't even be bothered putting a correct redirect on at the end.

h57xiucj2z946q · 22-06-2011 4:06pm

Same guys

/logs
/tmp
/online/ilu1.txt
/online/ilu2.txt

again.

Permanent TSB Phishing scam.

Comments