Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Permanent TSB Phishing scam.

  • 29-04-2011 2:21pm
    #1
    Closed Accounts Posts: 20,759 ✭✭✭✭


    Just a heads up, the following site which was registered today is being used to phish TSB account details.

    http://www.update-open24.org

    Just by the other domains registered to the server, I'd say it's being used for an awful amount of dodgy activity. Make sure to stay well clear of the above site, or your details will be stolen.


Comments

  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Might be interesting to take a snoop around on their site.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q




  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Firefox blocks it now.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Google Chrome too. Thanks :)


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Wheheh

    Edit: that log contained a link to possible real accounts, although most look fake.

    First IP's to open the accounts file are probably the owners. I should really report the access.log and accounts file to garda.


  • Advertisement
  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Send PM :)

    This server has HEAPS of scam-websites. Is there anything we could do to report by ip address rather than a domain?


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    They got some peoples details, im gonna pass these onto TSB and Garda.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Good man. Did you get it through SQLi? I was going to have a poke myself but too busy today.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Nope I will explain soon, they are pretty silly to be honest.

    Their site is 503 now anyway. Also you can get the IP of the person reading the accounts file over and over!


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    I sent off the logs to the garda and tsb, just waiting for a reply now.


  • Advertisement
  • Closed Accounts Posts: 2,486 ✭✭✭Redshift


    I sent off the logs to the garda and tsb, just waiting for a reply now.

    Good Man Damo, Seriously good job there:)


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    There was about 25 accounts logged, only about 10 of them were legit data, the rest were swear words about people who realised it was a scam.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Damo the hero!


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Should I email everyone who had data stole, or leave it up to the guardi/tsb now?


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Should I email everyone who had data stole, or leave it up to the guardi/tsb now?

    Sent out a friendly e-mail, just incase. It was one of my friends who was conned that highlighted the site to me. Tell them to contact their local bank, and that they might possibly have to cancel their card.


  • Closed Accounts Posts: 2,486 ✭✭✭Redshift


    Should I email everyone who had data stole, or leave it up to the guardi/tsb now?

    If it was me i'd appreciate an email, just make sure they don't think it was you that set up the site.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Redshift wrote: »
    If it was me i'd appreciate an email, just make sure they don't think it was you that set up the site.


    Sent of a mail, one bounced back. That site seems to be flushed from DNS tables now.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Was hosted on a Yahoo server in California. Bank detail log files were been accessed from IP in Scottsdale, AZ, an online store (possibly also compromised)

    Speaking of Scottsdale, I spent a day in Old Town, Scottsdale, AZ in March. Pretty nice place.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    No email reply from anyone yet.

    They had a lot of the OS directories sym-linked in their web root for some reason, most apache user didn't have permission to read, however /logs and /tmp were viewable.

    Their apache access.log was in /logs. This log file gave away the location of the files they were storing peoples data in as they kept accessing them over and over again and you could see their GET requests (and IP :D). These files were also accessible over www.


  • Closed Accounts Posts: 88,972 ✭✭✭✭mike65


    Opera says fraud site.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 335 ✭✭jimbooth


    just to add to this, I got a text message today from "open24" saying my account has been suspended and to log onto "www.open24-update.org"
    have notified the tsb but these guys are getting more up to date very quickly.
    Also How did they get my number? and know I was a tsb customer??:confused:


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    jimbooth wrote: »
    just to add to this, I got a text message today from "open24" saying my account has been suspended and to log onto "www.open24-update.org"
    have notified the tsb but these guys are getting more up to date very quickly.
    Also How did they get my number? and know I was a tsb customer??:confused:


    They reversed the domain, last time it was

    "www.update-open24.org"

    Exact same dumb websign before I see! Logs and everything publically viewable.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q




  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Good man Damo :)


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Looks like the site is taken down.


  • Closed Accounts Posts: 2,486 ✭✭✭Redshift


    Aib This time.
    http://www.aib-personal.org

    Edit, Sent Logs and Data file to Gardai and AIB - hope they look at their email, as before lots of duds and bad language but some of it looks real :0/


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Saw that - I sent on the logs and data to AIB also today.


  • Closed Accounts Posts: 10 motorbikemania


    got a text from 086 3652358 today suggesting i use www.permanenttsb-updates.org ...... just to let y'all know!


  • Moderators, Home & Garden Moderators, Technology & Internet Moderators Posts: 24,789 Mod ✭✭✭✭KoolKid


    Filled that in with all false info. They couldn't even be bothered putting a correct redirect on at the end.


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Same guys

    /logs
    /tmp
    /online/ilu1.txt
    /online/ilu2.txt

    again.


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    OpenDNS has it blocked as Phishing


  • Registered Users, Registered Users 2 Posts: 245 ✭✭SoulRock


    Received a txt from open24 update the other day, im with AIB and was suspicious straight away, havent gone to the site to have a look as am wary of it.. has this been investigated yet by the Gardai? should i inform AIB cant believe they have my mobile number, how could this have happened, should i change all my AIB interent banking details now.. :( i deleted the txt message by accident, i wanted to keep it as evidence.. to late now..


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    What's the link?


  • Registered Users, Registered Users 2 Posts: 245 ✭✭SoulRock


    i deleted the txt by accident but it was something like this
    http://www.update-open24.org
    the txt told me to go there and update my login details for internet banking..


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Yes, it's a scam.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 9,175 ✭✭✭Doge


    Good work Damo and Redshift on the previous scams.

    I would just like to know how are you sending the info to the Gardaí for future reference?

    By e-mail, or over the phone or both?

    And how responsive do you find them?

    Thanks.


Advertisement