“We are watching you / Don’t close your eyes,” the hacking group AnonGhost wrote on a site with a URL that really, really looks like the domain for a big UK bank.
The message would be scary if the hackers had actually managed to take over the site for Yorkshire Bank – what one assumes was their intended target – but they did nothing of the kind.
What they hacked instead was a site that’s registered to James Edward of Puchong, Malaysia, with a domain that was created in 2011. Pre-defacement, it showed pages that were imperfectly copied from another bank site, featuring out-of-date news stories from 2011.
In other words, the hackers picked on a fake bank site.
How do we know they really wanted to hack the bank site? Mostly, because of all the gloating going on out there regarding the defacement of, and I quote, “Yorkshire Bank, one of the largest United Kingdom bank” [sic].
Security researcher Dr Richard Clayton, in a post on the Cambridge University Computer Laboratory’s Light Blue Touchpaper blog, pulled up both the defaced domain for this bogus bank site – ominous message about watching us, glassy zombie-blue eyeball image and all – as well as cached pages of the site from its pre-defacement days.
Clayton writes that it’s best not to visit the defaced site, even if you want to see an animated version, given the potential for it being boobytrapped with malware.
But you can get an idea of how AnonGhost got confused by comparing the bogus bank site’s URL, http://ybs-bank.com/, to that of a completely-unrelated-to-banking-whatsoever site, http://www.ybs.co.uk/, and then looking at the actual URL they were presumably after, which would be http://www.ybonline.co.uk/.
These are the businesses for which each URL is registered:
- http://www.ybonline.co.uk/ This is the site for “Yorkshire Bank,” which is a trading name of Clydesdale Bank plc, a subsidiary of the National Australia Bank Group of companies. Yorkshire Bank joined the Group in 1990. Clicking through on Monday afternoon showed that this banking site was undefaced, pink-cheeked and feeling fine.
- http://www.ybs.co.uk This is the URL for “The Yorkshire”, aka YBS, aka the “Yorkshire Building Society”, which is a member of the Building Societies Association. Clayton says it’s not, in fact, a bank, but it looks very bank-like to me. At any rate, the site as of Monday afternoon lacked zombie eyeballs. Indeed, it looked both healthy and bank-like, with a smorgasbord of offerings such as mortgages, savings and financial advice.
- http://ybs-bank.com/ This is the currently zombie-eyeball-we’re-watching-you version of the Malaysia-based site that was previously showing fake bank pages.
Did AnonGhost just misspell the URL?
Well, probably not. Clayton says that as it turns out, the ybs-bank Malaysian site also has non-defaced pages that claim it’s the website for “Yorkshire Bank”, which, it says, is a trading name of Yorkshire Banking Society PLC, a member of the National Australia Bank Group.
It’s easy to see how AnonGhost would think they hacked either “Yorkshire Bank” or “Yorkshire Building Society”.
The bungled hack didn’t result in any compromised bank account details, given that the site, well, didn’t belong to a bank.
But the case does point to a problem that Clayton and Tyler Moore just published a paper about: namely, what happens to banking domains after the banks merge or fail.
The answers aren't too pretty when the bank releases them, and there is certainly scope for criminals to do some impersonation. So in the paper we recommend that the regulator (FDIC is the relevant regulator for the US banks we looked at) step in and ensure that domain names are not let go when they could still, in the wrong hands, pose a danger to the public.
That backs up what Naked Security found when looking at typosquatting and what happens when we mistype a website name.
As Paul Ducklin said when he wrote up the typosquatting report, there’s plenty of risk if you take a wrong turn and wind up on some murky, misspelled domain, whether you’re talking about malware, bait and switch, hacking, phishing, online fraud or spamming.