Phishing scam targeting NatWest, Royal Bank of Scotland customers
February 23, 2014
I intercepted an email phishing scam today, targeting The Royal Bank of Scotland customers. It uses the abbreviation NatWest, as the sender and in logos on the page. Nat West stands for National Westminster Bank.
Analysis
The sender (From) claims to be: "NatWest Credit Card"
The subject is: Dear (They insert your email address here) Credit Card Online Services
The body text begins with:
Notice
Dear (your email address)
Your access to NatWest Credit Card Online Services is locked out..Because of that, our security team had to suspend your account.
Please use the link below to unlock.:
The link in the message I received was on a compromised website named: sullivankitchen.com. The fraudsters have created a new folder, or folders, on that website and are using a single index file under /administrator/mobile to forward victims to another file (start.php) on the same website, to the actual location of the phishing page.
The phishing page has logos and other images and links stolen from the NatWest Royal Bank Of Scotland website. They have obviously failed to apply hotlink protection to their images, some of which were embedded from https locations. Example: https://cardservices.natwest.com/RBSG_Consumer/images/NatWest_alert.png
NB: In the footer, at the bottom of the page, is an out-of-date copyright notice, as follows: © 2005-2009 National Westminster Bank plc. This should raise your antennas, as it is now 2014!
The landing page with all the stolen logos and links has a form field requesting the victim's username, followed by two dead links if you have forgotten your username or password. Below that is a Login button. This button is also stolen (hotlinked) from the natwest.com website! Inputting any name into the username field, then clicking the Login button takes you to a file named: nw-logon.php, where you are asked to input your banking credentials, as follows:
Internet PIN (4 digits)*
Internet Password*
Email Address*
Email Password*
If you do this, then click on the button labeled Next, your banking username and password, along with your email address and password are sent to the cybercriminals behind this banking fraud. You are then forwarded to the actual NatWest bank website, to fool you into thinking nothing bad has happened. However, it doesn't take a genius to notice the pink-purple box on the upper right, asking you to log in. This is the it's-too-late giveaway that your account login has been successfully stolen, via a phishing scam.
With your NatWest credentials they can empty your bank account in minutes, plus take control of the email address you provided and use it to send spam and scam messages to your contacts list, if any exists.
I don't know who is behind this phishing scam. But, I have traced an interesting IP address almost hidden among the various headers. It is a Ukrainian mail server (mail.paton.kiev.ua), at 91.212.177.7, listed as belonging to: AS49306 ONGOZA Ltd., Ukraine, Kyiv, Yaroslaviv Val, 36-38. Their CIDR is 91.212.177.0/24, which I am adding to my Russian Blocklist.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.