This morning, I received an SMS message which stated that my account had been locked up and asked me to login to verify with a given link (http://activation-hsbc.com/cgi).
I inspected the "login" page and found that it would redirect you to your real local HSBC Personal eBanking Login page. However, your credentials would be logged by javascript and you would be redirected to Deep Web (or Dark Web) where all your real ebanking transaction sessions would be hijacked.
The phishing website domain was registered yesterday and the data show that it is from Russia (may be fake). The IP address of the server is 185.151.245.43. The URL http://185.151.245.43/cgi will show the same content.
I think that it may be a global HSBC phishing website. Beware!
That's all! See you.
(Update) After 4 hours of the reporting : I got the following confirmation email from HSBC :
Dear Customer
Thank you for your e-mail of 17 July regarding an SMS you received
claiming to be from HSBC.
We confirm that the SMS in question is NOT genuine HSBC message. We have
reported this matter to our relevant department for their attention and
necessary action.
To safeguard your interests, please do not reply or click the link
inside the SMS. Please delete the SMS immediately.
Thank you once again for taking the time to bring your concern to our
attention. We are pleased to be of service.
Yours faithfully
Cxxxxxxa Wong
Senior Customer Support Officer
Retail Banking and Wealth Management
The Hongkong and Shanghai Banking Corporation Limited
Open Source is a great idea and it has changed the world!
Open Source forever ....
While you do not know attack, how can you know about defense? (未知攻,焉知防?)
Do BAD things .... for the RIGHT reasons -- OWASP ZAP
It is easier to port a shell than a shell script. -- Larry Wall
Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. -- Larry Wall
为天地立心, 为生民立命, 为往圣继绝学, 为万世开太平。 -- 王炜
Monday, July 17, 2017
Friday, July 07, 2017
[Full Disclosure] TopLeader Is Vulnerable To SQL Injection
Recently, a new local TV advertisement catches my eyes. It is a job hunting website, namely TopLeader.
As an Information Security guy, I am curious to see how secure the website is. I, therefore, conduct a very quick and simple test on it. It is just a recon procedure. I did not hack it.
The site stores employers, customers and agencies information, however, the site is not in HTTPS by default. Meanwhile, the TLS/SSL encryption has weak cipher suites, such as TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.
Although the site has Cross Site Scripting (XSS) security headers protection but it do not have any other security headers other than this. Therefore, the site may have a chance to be attacked by Man-In-The-Middle attack (MITM).
In addition, many urls of the site are vulnerable to Blind SQL injection (SQLi) which has a risk that the data will be leaked to the public by attackers when under attacks.
The webmaster or official is informed about the captioned findings via the website "Contact Us" on June 30, 2017. However, I did not get any reply from the official after 7 days. I decided to public disclosure in order to warn other employers and customers not to trust this site as it has information leakage.
Disclosure Timeline
2017-06-30 - A message is sent to the webmaster or official for the captioned findings via the website.
2017-07-07 - Not receiving any reply from the webmaster or official, then public disclosure.
2017-07-12 - SQL Injection is fixed but the other not yet fixed. The information that keeping before 2017-7-12 may be already leaked to the public.
That's all! See you.
As an Information Security guy, I am curious to see how secure the website is. I, therefore, conduct a very quick and simple test on it. It is just a recon procedure. I did not hack it.
The site stores employers, customers and agencies information, however, the site is not in HTTPS by default. Meanwhile, the TLS/SSL encryption has weak cipher suites, such as TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.
Although the site has Cross Site Scripting (XSS) security headers protection but it do not have any other security headers other than this. Therefore, the site may have a chance to be attacked by Man-In-The-Middle attack (MITM).
In addition, many urls of the site are vulnerable to Blind SQL injection (SQLi) which has a risk that the data will be leaked to the public by attackers when under attacks.
The webmaster or official is informed about the captioned findings via the website "Contact Us" on June 30, 2017. However, I did not get any reply from the official after 7 days. I decided to public disclosure in order to warn other employers and customers not to trust this site as it has information leakage.
Disclosure Timeline
2017-06-30 - A message is sent to the webmaster or official for the captioned findings via the website.
2017-07-07 - Not receiving any reply from the webmaster or official, then public disclosure.
2017-07-12 - SQL Injection is fixed but the other not yet fixed. The information that keeping before 2017-7-12 may be already leaked to the public.
That's all! See you.
Subscribe to:
Posts (Atom)