Hsbc Safeguard Account Update – Phishing

Phishing Scam

Another Banking phish. This time HSBC. What makes this “slightly” more believable is the url the phishing email leads to http://hsbc-verify.org.uk/   which is a very plausible web address and easily mistaken for a genuine HSBC address. Luckily they didn’t bother to add a SSl certificate, but if they had done and the web address started with HTTPS: then more victims would be likely to fall for this scam.

There are several different subjects in this phishing campaign that I have seen so far :

  • HSBC Safeguard
  • Account Update
  • Account Verification
  • Update
  • Action Required

All the senders are random and coming via botnets not the email address listed in the email. So in this example, not only is the HSBC team spoofed but the @wwl.nhs.uk is also spoofed.

From: HSBC Team <15138105252@wwl.nhs.uk>

Date: Tue 14/02/2017 08:22

Subject:  HSBC Safeguard

Body content:

 

Privacy & Security
Date:14/02/2017
HSBC Safeguard
 

Action Required
HSBC Safeguard is a collection of measures taken to safeguard your hard-earned savings and savings from online and financial fraud. To accomplish this, we need to ensure that the record we have about you is correct and up to date. We’ll use this information to protect you, and ourselves, from financial crime. We take our obligation to protect your data very seriously. All the information you provide will be subject to HSBC Group’s data and security standards to ensure its protection. Please click on “Update” button below to start your updating procedure. Update Please note, your online and card services will remain blocked until you complete the process. Thank you, HSBC
HSBC Bank plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is listed with the registration number 114216. HSBC Bank plc is a company incorporated under the laws of England and Wales with company registration number 14259 and its registered office at 8 Canada Square, London E14 5HQ. HSBC Bank plc’s registered VAT Number is GB 365684514. © HSBC Bank plc 2017

Screenshot:

Email Headers:

Received: from [113.163.85.143] (port=63650 helo=113.163.85.143)
by knight.knighthosting.co.uk with smtp (Exim 4.88)
(envelope-from <15138105252@wwl.nhs.uk>)
id 1cdYV5-0001fN-6o
for gillings.herved@thespykiller.co.uk; Tue, 14 Feb 2017 08:30:16 +0000
Received: from unknown (HELO gyyi4q) ([107.59.121.62])
by 113.163.85.143 with ESMTP; Tue, 14 Feb 2017 15:34:41 +0700
Message-ID: <001701d2869c$8e938b60$6b3b793e@WINDOWS0PCDEJAgyyi4q>
From: “HSBC Team” <15138105252@wwl.nhs.uk>
To: <gillings.herved@thespykiller.co.uk>
Subject: HSBC Safeguard

IP Hostname City Region Country Organisation
113.163.85.143  dynamic.vdc.vn Hanoi Thanh Pho Ha Noi VN AS45899 VNPT Corp
107.59.121.62  107-59-121-62.pools.spcsdns.net US
Note: Only the final IP address outside of your network in the Received: fields can be trusted as others can be spoofed

 

The link goes to  http://hsbc-verify.org.uk/  where you see a webpage like this, which leads to a typical set of  phishing pages asking for all your bank, credit card and personal details, so they can empty your bank and credit card accounts and take over your identity completely.

Once again the registrars are not taking enough precautions and allowing dodgy domain names to be registered to non existent  people. It clearly shows a not acceptable registrant, so why was the domain registered at all. If there are incomplete or obviously false details then registrations should not be automatic, but held in a queue and manually examined and accepted or rejected

Address lookup

canonical name hsbc-verify.org.uk.
aliases
addresses 91.218.247.93

Domain Whois record

Queried whois.nic.uk with “hsbc-verify.org.uk“…

Domain name:
        hsbc-verify.org.uk

    Registrant:
        Not Acceptable

    Registrant type:
        Unknown

    Registrant's address:
        IJweg 9
        Nieuw Vennep
        Noord-Holland
        2152 ND
        Netherlands

    Data validation:
        Nominet was not able to match the registrant's name and/or address against a 3rd party source on 13-Feb-2017

    Registrar:
        PDR Ltd. d/b/a PublicDomainRegistry.com t/a PublicDomainRegistry.com [Tag = PDR-IN]
        URL: http://www.publicdomainregistry.com

    Relevant dates:
        Registered on: 13-Feb-2017
        Expiry date:  13-Feb-2018
        Last updated:  13-Feb-2017

    Registration status:
        Registered until expiry date.

    Name servers:
        ns1.steeldns.com
        ns2.steeldns.com

    WHOIS lookup made at 08:57:21 14-Feb-2017