Do not login to A&L this morning - HACKED 19 April 2011 at 6:16AM edited 19 April 2011 at 8:01AM in Budgeting & Bank Accounts 61 replies 11.8K views

somethingcorporate

WUM anyone?

ashleypride

mattcodes wrote: »

Update: Ive had a response back from Santander PR team that they are investigating the issue.

Thanks for letting us know. I don't quite understand why anybody would called you a spammer.

mattcodes

If anyone wants to follow the trail take the javascript link from line 7 of A&L login page, load it and paste it into jsbeautifier, this will reveal the second js file, paste that into jsbeautifier and you'll see something clearly malicious. Im sorry its not being reported yet. ?

I think Santander/Abbey might be a different system but Santander/A&L is definitely affected

WUM anyone?

Sorry nothing to gain from this. My account is with A&L and I dont want to see people at loss with this, in addition I dont want it covered up neither. If im a blagger you'll know for sure later today

mr_fishbulb

mattcodes wrote: »

If anyone wants to follow the trail take the javascript link from line 7 of A&L login page, load it and paste it into jsbeautifier, this will reveal the second js file, paste that into jsbeautifier and you'll see something clearly malicious. Im sorry its not being reported yet. ?

I think Santander/Abbey might be a different system but Santander/A&L is definitely affected

Yes, all these different institutions listed in the code suggest something is afoot (and for once it's not my manhood!):

http:\':\'V:\',x=\'allianceleicester\',k=\'18557\',l=\'v4.0\',m=\'ak\',n=Q,o=\'&U3=bankofamerica.7&U1=yahoo.7&U13=ebanking.W.7.hk/1/2/logon&U4=.abbeynational.9.E/EBAN_ENS/&U5=banking.firstdirect.7&U6=discovercard.7/cardmembersvcs/achome/homepage&U7=citibank&U9=.americanexpress.7/myca/acctsumm/us/&U2+U8=X.wellsfargo.7/das/Y-bin/session.Y&U12=halifax-X.9.E&U18=wachovia.7&Uo=banquepopulaire.fr/&U16=..de/Z/Z/&U11=.pncs.7.au/806015v47/&U21=ulsterbankanytimebanking./10.aspx&U15=ruralvia.7/10&U10=santander.cl/transa/segmentos/welcome.asp&U20=npbs.9.E&U14=coventrybuildingsociety.9.E&U17=.W.9.E/1/2/personal/&Uz21=/cmserver/verify.cfm&U19=.mybank.alliance-leicester

ashleypride

mattcodes wrote: »

If anyone wants to follow the trail take the javascript link from line 7 of A&L login page

I was looknig at the wrong site, but yes it's still there and certainly looks nefarious.

glider3560

I believe advanced-web-analytics.com is something to do with that Rapport software

mr_fishbulb

glider3560 wrote: »

I believe advanced-web-analytics.com is something to do with that Rapport software

But what is polycache.com?

ashleypride

mr_fishbulb wrote: »

But what is polycache.com?

That is the question, from what I can tell A&L do usally have the https://www.advanced-web-analytics.com/18557/splash.js code. So if anything has been comprised it is this server.

cains1

Is this right? I can see advancedwebanalytcis in the RBS page as well?

mattcodes

Here's what I've just been told.

While I am not able to go in to specifics regarding the activity, it appears the code was placed there willingly by the bank. Due to a misconfiguration these errors occurred. I was informed that the misconfiguration should be resolved and everything should be all set.

Even if advanced-web-analytics is legit. I can't see the how polycache is legit. On some of the nodes it presents a cert for gate-logic.com, is hosted in a Linode VPS, is registered anonymously etc.. Ive saved copies of code to see what changes when they fix it.