SURL Analyzer – to Believe or not

Today I will be presenting to you a case which had me baffled and to ensure that SURL analyzer is not detecting any false-positives, I had to put in extra efforts.

SURL analyzer was created to detect phishing websites and since it is not based on using a url database, it becomes all the more imperative to test its viability in the real-world scenarios.

A few blogs ago, I had spoken about the a phishing attempt on a Brazilian banking website. The two web-sites were identical twins except for the erring ‘e’  in the phishing website.

Before, going ahead with the questionable site, let me share some of the sites, which require credentials of Santander’s banking users. Some of the urls have been procured from PhishTank’s ever expanding database of phishing websites.

http://www.phishtank.com/phish_detail.php?phish_id=1588605

Santander's Phishing Page - phish_id=1588605

Yet Another site related to Santander

Site asking for credentials related to Santander's Banking account

One may ask, what exactly is common between these two snapshots.

1: Asking for username

2: Phishing email Warning

3: Santander Logo

The only thing different is the URL

URL 1: hxxp://www[.]fungamingworld[.]com/includes/homepage/newabbey/abbey/retail.santander[.]co[.]uk[.]php

URL 2: hxxp://www[.]gibnjara[.]co[.]rs/language/pdf_fonts/retail[.]santander[.]co[.]uk[.]php

Here is the screen-shot of yet another URL

Site asking for credentials belonging to Santander's banking users

URL: https://www[.]mybusinessbank[.]co[.]uk/cs70_banking/logon/slogon

Found any difference in the content of all the three websites? Even I didnt find any difference, save and except the usage of https in the third URL.

SURL analyzer, detected all the three urls as phishing and this is where I hit the road-block. Out of the three sites, only one is a genuine web-site.

Before, arriving at any conclusion, remember to read my blog post about fraudulent SSL Certificates.

Keeping, all these points in my mind, the first two sites were immediately flagged as phishing. However, I was at my wits end as to how can mybusiness.co.uk can be a banking web-site for Santander.

Did a quick google search and found users speaking about mybusiness.co.uk , but this wassnt a conclusive proof. Untill, I stumbled upon this link.

This is the only place where Santander speaks about mybusiness.co.uk being a legitimate site for their online banking operations, which was procured by searching google. Searching on Santander’s official web-site is nothing less than a nightmare. The Login interface, on the original Santander’s website just does not point to mybusiness.co.uk

So the conclusion is that SURL analyzer had failed to detect mybusiness.co.uk as a legitimate website, which any anti-phishing expert, who doesn’t know about Santander will immediately flag it as phishing.This example, gave me a different perspective about phishing websites and has helped me immensely in modifying the algorithm of SURL Analyzer and has been strengthened further to handle such web-sites, which require OSINT to be used.

I have seen many banking websites, but for the first time, I have come across a banking website, which looks like a very very bad phishing attempt. In fact, due to the sheer fact that the domain mybusiness.co.uk is lengthy, the url itself can be spoofed, not only to fool the desktop/laptop users but also the Smart Phone users. A simple google query for the domain mybusines.co.uk (1 s has been removed) will reveal a lot of fraud messages.

With domains like mybusiness.co.uk being used to serve a legitimate purpose, Phishing is very easy.

Last but not the least, this web-site is a login site for “Alliance & Leicester Commercial Bank”, a part of Santander group.

My advice to the banks is :

1: Use Short Domains.

2: Maintain consistency in the usage of domain-names.

This entry was posted in eScan 11 and tagged . Bookmark the permalink.