We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

Do not login to A&L this morning - HACKED

13567

Comments

  • WUM anyone?
    Thinking critically since 1996....
  • ashleypride
    ashleypride Posts: 657 Forumite
    Part of the Furniture 500 Posts Combo Breaker
    mattcodes wrote: »
    Update: Ive had a response back from Santander PR team that they are investigating the issue.

    Thanks for letting us know. I don't quite understand why anybody would called you a spammer.
  • mattcodes
    mattcodes Posts: 19 Forumite
    edited 19 April 2011 at 9:10AM
    If anyone wants to follow the trail take the javascript link from line 7 of A&L login page, load it and paste it into jsbeautifier, this will reveal the second js file, paste that into jsbeautifier and you'll see something clearly malicious. Im sorry its not being reported yet. ?

    I think Santander/Abbey might be a different system but Santander/A&L is definitely affected
    WUM anyone?

    Sorry nothing to gain from this. My account is with A&L and I dont want to see people at loss with this, in addition I dont want it covered up neither. If im a blagger you'll know for sure later today
  • mr_fishbulb
    mr_fishbulb Posts: 5,224 Forumite
    Part of the Furniture Combo Breaker
    mattcodes wrote: »
    If anyone wants to follow the trail take the javascript link from line 7 of A&L login page, load it and paste it into jsbeautifier, this will reveal the second js file, paste that into jsbeautifier and you'll see something clearly malicious. Im sorry its not being reported yet. ?

    I think Santander/Abbey might be a different system but Santander/A&L is definitely affected

    Yes, all these different institutions listed in the code suggest something is afoot (and for once it's not my manhood!):
    http:\':\'V:\',x=\'allianceleicester\',k=\'18557\',l=\'v4.0\',m=\'ak\',n=Q,o=\'&U3=bankofamerica.7&U1=yahoo.7&U13=ebanking.W.7.hk/1/2/logon&U4=.abbeynational.9.E/EBAN_ENS/&U5=banking.firstdirect.7&U6=discovercard.7/cardmembersvcs/achome/homepage&U7=citibank&U9=.americanexpress.7/myca/acctsumm/us/&U2+U8=X.wellsfargo.7/das/Y-bin/session.Y&U12=halifax-X.9.E&U18=wachovia.7&Uo=banquepopulaire.fr/&U16=..de/Z/Z/&U11=.pncs.7.au/806015v47/&U21=ulsterbankanytimebanking./10.aspx&U15=ruralvia.7/10&U10=santander.cl/transa/segmentos/welcome.asp&U20=npbs.9.E&U14=coventrybuildingsociety.9.E&U17=.W.9.E/1/2/personal/&Uz21=/cmserver/verify.cfm&U19=.mybank.alliance-leicester
    
  • ashleypride
    ashleypride Posts: 657 Forumite
    Part of the Furniture 500 Posts Combo Breaker
    mattcodes wrote: »
    If anyone wants to follow the trail take the javascript link from line 7 of A&L login page

    I was looknig at the wrong site, but yes it's still there and certainly looks nefarious.
  • glider3560
    glider3560 Posts: 4,115 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    I believe advanced-web-analytics.com is something to do with that Rapport software
  • mr_fishbulb
    mr_fishbulb Posts: 5,224 Forumite
    Part of the Furniture Combo Breaker
    glider3560 wrote: »
    I believe advanced-web-analytics.com is something to do with that Rapport software
    But what is polycache.com?
  • ashleypride
    ashleypride Posts: 657 Forumite
    Part of the Furniture 500 Posts Combo Breaker
    But what is polycache.com?

    That is the question, from what I can tell A&L do usally have the https://www.advanced-web-analytics.com/18557/splash.js code. So if anything has been comprised it is this server.
  • Is this right? I can see advancedwebanalytcis in the RBS page as well?
  • mattcodes
    mattcodes Posts: 19 Forumite
    Here's what I've just been told.

    While I am not able to go in to specifics regarding the activity, it appears the code was placed there willingly by the bank. Due to a misconfiguration these errors occurred. I was informed that the misconfiguration should be resolved and everything should be all set.
    Even if advanced-web-analytics is legit. I can't see the how polycache is legit. On some of the nodes it presents a cert for gate-logic.com, is hosted in a Linode VPS, is registered anonymously etc.. Ive saved copies of code to see what changes when they fix it.



This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 348.2K Banking & Borrowing
  • 252.1K Reduce Debt & Boost Income
  • 452.3K Spending & Discounts
  • 240.7K Work, Benefits & Business
  • 617K Mortgages, Homes & Bills
  • 175.6K Life & Family
  • 253.9K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.