Phishing, funny stuff

Recently I got yet another phishing email that invited me to do something urgently with my RBC account.

phishing-rbc1

Oh, nice! I have to install a security certificate in order to continue use RBC online banking. Too complex to be true, right? I checked the attachment and it was not a security certificate as was promised. Actually it was an HTML file that simply redirects a victim to a phishing site.

Nothing special, a phishing page was hosted at some Norwegian porno-site. Apparently it was hacked and phishing pages/scripts were injected. What was actually interesting – hacker forgot to disable directory view and all files were visible. Surprisingly there was “.htaccess” file. I opened it and enjoyed long list of IP addresses with funny comments:

phishing-rbc2

 

It indicates that the hacker has a pretty long list of “offenders” – security companies, ad bots, crawlers, etc. Unfortunately the owner of the legitimate site quickly find out (or another party informed about) injected phishing pages and deleted all of them so I did not have a chance to dig further.

Leave a comment