Phishing with the Halifax
On Wednesday, my mother, who unfortunately banks with the Halifax, phoned me with a concern that she'd just been scammed. In a moment of distraction, she'd clicked on a link in an e-mail claiming to be from the Halifax, taking her to a previously unknown website, advertising a new service ... and typed in her login details as prompted. She changed her password fairly promptly and informed the appropriate people at the Halifax. Logging in again, she was relieved to discover that no unexpected transactions had occurred. She's safe.
What follows is a long tale of complete and utter idiocy on the part of the Halifax, told in e-mail form. I've blanked some names out in the interests of corporate responsibility being more at issue than personal responsibility.
The original e-mail, html crud removed(the important component is that it contained a corporate image linking to "www.halifaxsharepricealert.com")
From: Halifax Share Dealing <sharebuilder@halifax.co.uk>
Subject: Halifax Share Price Alert
Date: Wed, 14 Sep 2005 15:17:44 UT
To: erased@ntlworld.com
Dear erased
As a Halifax Share Dealing customer, we don't need to tell you that
share prices go down as well as up. But thanks to our new Share Price
Alert service, it's now easier than ever to keep track of market
fluctuations.
This innovative new service brings your favourite five shares straight
to your desktop throughout the day. So, we take the work out of
monitoring those share prices for you.
Regards
Halifax Share Dealing
Simply download the online share tool onto your desktop and choose up
to five shares from the FTSE 100 you'd like to keep track of. You can
then choose when you'd like to be updated from the following times -
9.30am, 12.30pm, 3.30pm and when the stock market closes.
At these times, a message will pop up directly on your screen at work
or at home, displaying the prices of the shares you've chosen. You no
longer have to work at monitoring your share prices because it's done
for you.
Why not tell a friend or colleague about the new Share Price Alert
service from Halifax Share Dealing.
Simply download the share tool now and keep track of your shares
throughout the day.
A number of bogus e-mails are currently circulating in the UK
encouraging customers to visit fraudulent websites where personal or
Internet security details are requested. Halifax would never send
e-mails that ask for confidential or personal security information and
it is very important that you do not reply to these e-mails or click on
any links within them. Please read our security section for help and
more information.
If you would prefer not to receive further messages from us, please
click the above link and title your e-mail "REMOVE". You will receive
one further e-mail confirming your removal from our database.
I phoned the same department that my mother had phoned, and they assured me that it was a scam, as we first heard about this new service by a link in an e-mail. Now, to action.
My initial abuse report
Date: Wed, 14 Sep 2005 21:09:45 +0100
From: Richard Thrippleton <ret28@cam.ac.uk>
To: abuse@dxi.net
Subject: Presumably compromised server and phishing site hosted on 212.95.229.239
A recent phishing e-mail purporting to be from the Halifax building society
brought the site "www.halifaxsharepricealert.com" to my attention; consulting
with Halifax reveals this to be fake, so I've taken it upon myself to send this
abuse report (as I'm not entirely convinced they'll act quickly). You'll note
that www.halifaxsharepricealert.com resolves to an address on your network,
212.95.229.239.
(further evidence is in the very dubious looking whois record for that domain)
Hope this helps,
Richard
Their surprising reply
From: Andy Condliffe <andy.condliffe@dxi.net>
To: 'Richard Thrippleton' <ret28@cam.ac.uk>
Cc: Keith Foster <keith.foster@dxi.net>, Robin Johnson <rob.johnson@dxi.net>
Subject: RE: Presumably compromised server and phishing site hosted on 212.95.229.239
Date: Thu, 15 Sep 2005 08:17:08 +0100
Richard,
The site belongs to Skinkers who specialise in providing alerts for
companies (BBC, The stock exchange and the Halifax). I would think this
is a legitimate site but will double check with them.
If you're interested Skinkers are at www.skinkers.com.
Andy
I replied, thinking this was the end of it
Date: Thu, 15 Sep 2005 10:57:23 +0100
From: 'Richard Thrippleton' <ret28@cam.ac.uk>
To: Andy Condliffe <andy.condliffe@dxi.net>
Subject: Re: Presumably compromised server and phishing site hosted on 212.95.229.239
On Thu, Sep 15, 2005 at 08:17:08AM +0100, Andy Condliffe wrote:
> Richard,
>
> The site belongs to Skinkers who specialise in providing alerts for
> companies (BBC, The stock exchange and the Halifax). I would think this
> is a legitimate site but will double check with them.
Aah ... I'm thinking that some people at Halifax are failing to talk to other
people in their company then. I was assured that it was a scam site upon
phoning their security hotline and giving them details!
It's a relief anyway.
Thanks,
Richard
Looks like they BCC-ed to the right people
Subject: RE: Presumably compromised server and phishing site hosted on 212.95.229.239
Date: Fri, 16 Sep 2005 16:01:25 +0100
From: erased@halifax.co.uk
To: ret28@cam.ac.uk
Dear Mr Thrippleton,
On Wednesday we sent you an e-mail advertising our new service, the Halifax
Share Price Alert, and I understand that you called our security team to clarify
if the e-mail was genuine.
Unfortunately the member of staff who you spoke with was not aware of this new
service and informed you that the site wasn't genuine. Please accept my apologies
as this information was incorrect.
I can assure you this is a genuine service and you can find a direct link to the
application from the Halifax web site at: http://www.halifax.co.uk/sharedealing/home.shtml
and we also have a flash based advert on our home page at present.
I would like to assure you that this incident is not indicative of our usual high standard
of customer service and the incident has been raised with the department concerned.
Please accept my apologies again for any inconvenience or confusion and for taking the time
to report what you though was a fishing scam. If you would like to discuss this further
please do not hesitate to contact us.
Yours sincerely
erased
Customer Relations
Halifax Share Dealing Ltd
SLAP
Date: Sat, 17 Sep 2005 17:35:32 +0100
From: Richard Thrippleton <ret28@cam.ac.uk>
To: erased@halifax.co.uk
Subject: Re: Presumably compromised server and phishing site hosted on 212.95.229.239
On Fri, Sep 16, 2005 at 04:01:25PM +0100, LeighHealey@halifax.co.uk wrote:
> Dear Mr Thrippleton,
>
> On Wednesday we sent you an e-mail advertising our new service, the Halifax
> Share Price Alert, and I understand that you called our security team to
> clarify if the e-mail was genuine.
>
> Unfortunately the member of staff who you spoke with was not aware of this
> new service and informed you that the site wasn't genuine. Please accept my
> apologies as this information was incorrect.
I'm not sure I can find fault with the member of staff I spoke with,
considering your security policy on
https://www.halifax-online.co.uk/help/public/umhelpengine.asp?ra=*&bid=82&hid=294,
specifically " 1. DO NOT access any links within the e-mail". The site linked
to in the e-mail was one we were not previously aware of; the *only* website
that I have been told to trust is halifax-online.co.uk, by a trustworthy medium
(i.e. in person at the branch with a leaflet, I seem to recall). With your new
policy of e-mailing out links to previously unknown websites asking for
authentication details, you are either
(a) Undermining its credibility (as in this case).
or
(b) Training your customers to violate your own security policy regarding
unsolicited e-mails, and opening them up to future scam attacks.
I think that based on what we knew at the time, the member of staff I contacted
was entirely sensible to inform me that it was a scam, and the full blame
should in fact lie with the department which contradicted your security
policies with this e-mail run.
Richard
If I get a reply, I'll update later.
Update: It's currently October 3rd, and I've had no reply. I can only conclude that Halifax put a very low value on phishing security, despite all their outward bluster.
Muppets!
Current Mood:  amused
| 
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}