AnonGhost hackers deface a fake bank site

Filed Under: Featured, Malware, Security threats

AnonGhost defacement"We are watching you / Don't close your eyes," the hacking group AnonGhost wrote on a site with a URL that really, really looks like the domain for a big UK bank.

The message would be scary if the hackers had actually managed to take over the site for Yorkshire Bank - what one assumes was their intended target - but they did nothing of the kind.

What they hacked instead was a site that's registered to James Edward of Puchong, Malaysia, with a domain that was created in 2011. Pre-defacement, it showed pages that were imperfectly copied from another bank site, featuring out-of-date news stories from 2011.

In other words, the hackers picked on a fake bank site.

How do we know they really wanted to hack the bank site? Mostly, because of all the gloating going on out there regarding the defacement of, and I quote, "Yorkshire Bank, one of the largest United Kingdom bank" [sic].

Security researcher Dr Richard Clayton, in a post on the Cambridge University Computer Laboratory's Light Blue Touchpaper blog, pulled up both the defaced domain for this bogus bank site - ominous message about watching us, glassy zombie-blue eyeball image and all - as well as cached pages of the site from its pre-defacement days.

Clayton writes that it's best not to visit the defaced site, even if you want to see an animated version, given the potential for it being boobytrapped with malware.

But you can get an idea of how AnonGhost got confused by comparing the bogus bank site's URL, http://ybs-bank.com/, to that of a completely-unrelated-to-banking-whatsoever site, http://www.ybs.co.uk/, and then looking at the actual URL they were presumably after, which would be http://www.ybonline.co.uk/.

These are the businesses for which each URL is registered:

  1. http://www.ybonline.co.uk/ This is the site for "Yorkshire Bank," which is a trading name of Clydesdale Bank plc, a subsidiary of the National Australia Bank Group of companies. Yorkshire Bank joined the Group in 1990. Clicking through on Monday afternoon showed that this banking site was undefaced, pink-cheeked and feeling fine.
  2. http://www.ybs.co.uk This is the URL for "The Yorkshire", aka YBS, aka the "Yorkshire Building Society", which is a member of the Building Societies Association. Clayton says it's not, in fact, a bank, but it looks very bank-like to me. At any rate, the site as of Monday afternoon lacked zombie eyeballs. Indeed, it looked both healthy and bank-like, with a smorgasbord of offerings such as mortgages, savings and financial advice.
  3. http://ybs-bank.com/ This is the currently zombie-eyeball-we're-watching-you version of the Malaysia-based site that was previously showing fake bank pages.

Did AnonGhost just misspell the URL?

Well, probably not. Clayton says that as it turns out, the ybs-bank Malaysian site also has non-defaced pages that claim it's the website for "Yorkshire Bank", which, it says, is a trading name of Yorkshire Banking Society PLC, a member of the National Australia Bank Group.

It's easy to see how AnonGhost would think they hacked either "Yorkshire Bank" or "Yorkshire Building Society".

The bungled hack didn't result in any compromised bank account details, given that the site, well, didn't belong to a bank.

But the case does point to a problem that Clayton and Tyler Moore just published a paper about: namely, what happens to banking domains after the banks merge or fail.

He writes:

The answers aren't too pretty when the bank releases them, and there is certainly scope for criminals to do some impersonation. So in the paper we recommend that the regulator (FDIC is the relevant regulator for the US banks we looked at) step in and ensure that domain names are not let go when they could still, in the wrong hands, pose a danger to the public.

That backs up what Naked Security found when looking at typosquatting and what happens when we mistype a website name.

As Paul Ducklin said when he wrote up the typosquatting report, there's plenty of risk if you take a wrong turn and wind up on some murky, misspelled domain, whether you're talking about malware, bait and switch, hacking, phishing, online fraud or spamming.

, , , ,

You might like

2 Responses to AnonGhost hackers deface a fake bank site

  1. Just to say, Yorkshire Building Society is not technically a bank, although they offer services like them. In the UK "Banks" and "Building Societies" are legally distinct. A bank is owned by shareholders (or maybe privately owned) while a building society is a mutual, owned by it's customers.

  2. Lee Church · 228 days ago

    Of course there may be a reason to the hackers to choose that site.

    If they were doing a hack or operation that the fake site was muscling in on in some way, (even making stolen credit cards from that bank less valuable would qualify) one might understand that it's not necessarily and 'epic fail'. Basically, "hey, you are ruining my 'scam'!" kind of thing. One sees this when one bad actor undermines another quite often. Why they did so often is clear, but other times it remains a mystery.

    So it's either stupid, or brilliant. I'm not clear on which at this point.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.