HSBC Safeguard Account Update – phishing
Another Banking phish. This time HSBC. What makes this “slightly” more believable is the url the phishing email leads to http://hsbc-verify.org.uk/ which is a very plausible web address and easily mistaken for a genuine HSBC address. Luckily they didn’t bother to add a SSl certificate, but if they had done and the web address started with HTTPS: then more victims would be likely to fall for this scam.
There are several different subjects in this phishing campaign that I have seen so far :
- HSBC Safeguard
- Account Update
- Account Verification
- Update
- Action Required
All the senders are random and coming via botnets not the email address listed in the email. So in this example, not only is the HSBC team spoofed but the @wwl.nhs.uk is also spoofed.
From: HSBC Team <15138105252@wwl.nhs.uk>
Date: Tue 14/02/2017 08:22
Subject: HSBC Safeguard
Body content:
Privacy & Security
Date:14/02/2017 HSBC Safeguard
Action Required HSBC Safeguard is a collection of measures taken to safeguard your hard-earned savings and savings from online and financial fraud. To accomplish this, we need to ensure that the record we have about you is correct and up to date. We’ll use this information to protect you, and ourselves, from financial crime. We take our obligation to protect your data very seriously. All the information you provide will be subject to HSBC Group’s data and security standards to ensure its protection. Please click on “Update” button below to start your updating procedure. Update Please note, your online and card services will remain blocked until you complete the process. Thank you, HSBC
HSBC Bank plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is listed with the registration number 114216. HSBC Bank plc is a company incorporated under the laws of England and Wales with company registration number 14259 and its registered office at 8 Canada Square, London E14 5HQ. HSBC Bank plc’s registered VAT Number is GB 365684514. © HSBC Bank plc 2017
Screenshot:
Email Headers:
Received: from [113.163.85.143] (port=63650 helo=113.163.85.143)
by knight.knighthosting.co.uk with smtp (Exim 4.88)
(envelope-from <15138105252@wwl.nhs.uk>)
id 1cdYV5-0001fN-6o
for gillings.herved@thespykiller.co.uk; Tue, 14 Feb 2017 08:30:16 +0000
Received: from unknown (HELO gyyi4q) ([107.59.121.62])
by 113.163.85.143 with ESMTP; Tue, 14 Feb 2017 15:34:41 +0700
Message-ID: <001701d2869c$8e938b60$6b3b793e@WINDOWS0PCDEJAgyyi4q>
From: “HSBC Team” <15138105252@wwl.nhs.uk>
To: <gillings.herved@thespykiller.co.uk>
Subject: HSBC Safeguard
| IP | Hostname | City | Region | Country | Organisation |
|---|---|---|---|---|---|
| 113.163.85.143 | dynamic.vdc.vn | Hanoi | Thanh Pho Ha Noi | VN | AS45899 VNPT Corp |
| 107.59.121.62 | 107-59-121-62.pools.spcsdns.net | US |
The link goes to http://hsbc-verify.org.uk/ where you see a webpage like this, which leads to a typical set of phishing pages asking for all your bank, credit card and personal details, so they can empty your bank and credit card accounts and take over your identity completely.
Once again the registrars are not taking enough precautions and allowing dodgy domain names to be registered to non existent people. It clearly shows a not acceptable registrant, so why was the domain registered at all. If there are incomplete or obviously false details then registrations should not be automatic, but held in a queue and manually examined and accepted or rejected
Address lookup
| canonical name | hsbc-verify.org.uk. |
| aliases | |
| addresses | 91.218.247.93 |
Domain Whois record
Queried whois.nic.uk with “hsbc-verify.org.uk“…
Domain name:
hsbc-verify.org.uk
Registrant:
Not Acceptable
Registrant type:
Unknown
Registrant's address:
IJweg 9
Nieuw Vennep
Noord-Holland
2152 ND
Netherlands
Data validation:
Nominet was not able to match the registrant's name and/or address against a 3rd party source on 13-Feb-2017
Registrar:
PDR Ltd. d/b/a PublicDomainRegistry.com t/a PublicDomainRegistry.com [Tag = PDR-IN]
URL: http://www.publicdomainregistry.com
Relevant dates:
Registered on: 13-Feb-2017
Expiry date: 13-Feb-2018
Last updated: 13-Feb-2017
Registration status:
Registered until expiry date.
Name servers:
ns1.steeldns.com
ns2.steeldns.com
WHOIS lookup made at 08:57:21 14-Feb-2017
Reported to phishtank.com, google safebrowsing, PublicDomainRegistry.com
Thanks. The more times it is reported the better. I haven’t seen an aggressive phishing campaign like this one for a long time. I think they are testing one of the bot networks to prepare it for a big malware campaign.