Monday, July 17, 2017

[Warning] HSBC Phishing Website

This morning, I received an SMS message which stated that my account had been locked up and asked me to login to verify with a given link (http://activation-hsbc.com/cgi).

I inspected the "login" page and found that it would redirect you to your real local HSBC Personal eBanking Login page. However, your credentials would be logged by javascript and you would be redirected to Deep Web (or Dark Web) where all your real ebanking transaction sessions would be hijacked.

The phishing website domain was registered yesterday and the data show that it is from Russia (may be fake). The IP address of the server is 185.151.245.43. The URL http://185.151.245.43/cgi will show the same content.

I think that it may be a global HSBC phishing website. Beware!

That's all! See you.


(Update) After 4 hours of the reporting : I got the following confirmation email from HSBC :

Dear Customer

Thank you for your e-mail of 17 July regarding an SMS you received claiming to be from HSBC.

We confirm that the SMS in question is NOT genuine HSBC message. We have reported this matter to our relevant department for their attention and necessary action.

To safeguard your interests, please do not reply or click the link inside the SMS. Please delete the SMS immediately.

Thank you once again for taking the time to bring your concern to our attention. We are pleased to be of service.

Yours faithfully


Cxxxxxxa Wong
Senior Customer Support Officer
Retail Banking and Wealth Management

The Hongkong and Shanghai Banking Corporation Limited


Friday, July 07, 2017

[Full Disclosure] TopLeader Is Vulnerable To SQL Injection

Recently, a new local TV advertisement catches my eyes. It is a job hunting website, namely TopLeader.

As an Information Security guy, I am curious to see how secure the website is. I, therefore, conduct a very quick and simple test on it. It is just a recon procedure. I did not hack it.

The site stores employers, customers and agencies information, however, the site is not in HTTPS by default. Meanwhile, the TLS/SSL encryption has weak cipher suites, such as TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.

Although the site has Cross Site Scripting (XSS) security headers protection but it do not have any other security headers other than this. Therefore, the site may have a chance to be attacked by Man-In-The-Middle attack (MITM).

In addition, many urls of the site are vulnerable to Blind SQL injection (SQLi) which has a risk that the data will be leaked to the public by attackers when under attacks.

The webmaster or official is informed about the captioned findings via the website "Contact Us" on June 30, 2017. However, I did not get any reply from the official after 7 days. I decided to public disclosure in order to warn other employers and customers not to trust this site as it has information leakage.

Disclosure Timeline

2017-06-30 - A message is sent to the webmaster or official for the captioned findings via the website.
2017-07-07 - Not receiving any reply from the webmaster or official, then public disclosure.
2017-07-12 - SQL Injection is fixed but the other not yet fixed. The information that keeping before 2017-7-12 may be already leaked to the public.

That's all! See you.