I was recently called out to a customer who was having trouble logging in to her bank account (credit card) online. She was using Chrome to login to Tesco bank, and the symptoms she described to me immediately made me suspect there was something amiss with her computer.
She would go to the website and put in her username on the first page and click login. This would immediately take her to the “You have logged out” page.
She had contacted Tesco about this and been talked through trying the same thing with Internet Explorer, but with very different results. The amazing thing was that the support advisor made her do things that would compromise her account and then didn’t help her change her security details afterwards.
This is an account of what she saw, and what I subsequently reproduced later.
Screen One – Tesco Bank login screen – As expected
Username was entered into this screen and the Login button was pressed.
Next page – Where things get more suspicious…
Screen Two – Security details page – Almost as expected, with one vital difference…
I have obviously removed the username and phrase, but the important thing is that both the phrase and the picture that are displayed are correct. This is information that is supposed to prove to the customer that they are looking at the genuine Tesco Banking website.
The part of this page that is not as it should be is the box asking for the Security Number. On the genuine site a user is asked for only 2 digits of the code. In this case the user is asked for all 6.
After experimentation I discovered that it does not matter what you put in as your security code, the user is always taken to the next page. The virus designer relies on the user being unaware that there is a problem and putting in their correct code.
So, whatever code is entered, pressing the Next button always takes the user to the following screen.
Screen Three – Blatant phishing for information
Tesco, and indeed no bank, would ever ask you to input such information into a webpage, and such requests should always make you suspicious. It was at this point on her call to Tesco Support that my client was told to close the page and not input any information. However she was not informed of the fact that she had already given up valuable information (her security number) and should change it before going any further.
As you can see from the following image, the security questions offered to the user are exactly what would be expected from a Tesco customer, they match the ones offered to customers when setting up their online banking.
Next page – Tesco’s inadequate reaction…
My conversations with Tesco on this subject.
I called Tesco to try to warn them about this virus, and was told that they would not speak to me about it as, although I am also a Tesco Banking customer, I was not the one having the problem.
I then called them again in the presence of my client, so she could go through security, and this time was amazed by what I was told. When I got to the bit about being presented with a page phishing for information I was told “Yes, that’s what you’d expect to see if you’ve been given a new security code.” I could not have been any clearer with my explanation of what I was seeing, and the ignorance of the support desk on what should be a very obvious problem is incredible.
Eventually, after insisting on talking to someone more technical I did get through to someone who seemed to understand the magnitude of the issue, but even he would not open a support case. After posting this blog I will contact them again to see if I can get any further.
Perhaps the most worrying aspect of this attack is that the site the user is looking at IS the Tesco Bank website, just with certain page elements replaced. This means that the usual advice to users to tell whether a site is malicious do not apply. The URL displayed in the address bar at the top of the page IS the URL for the Tesco Bank page, and the certificate displayed IS the correct certificate.
When I looked at the HTML source of either of the pages displayed here, I was presented with the underlying source of the real Tesco banking webpages.
As mentioned, my client usually uses Chrome to access the web, and Chrome simply sends the user to the “Logged out” page. I didn’t find out which of the two behaviours is exhibited by Firefox.
The client could not tell me when the virus had first infected her PC, and I could not find the method of infection but I suspect it was through an email that had subsequently been deleted.
Next page – The virus and removal…
The virus – Details
The only way I found to detect the virus was using RogueKiller, from Adlice software. www.adlice.com/software/roguekiller
This detected it as code injected into explorer.exe , which is the executable file that gives you your Windows environment, or the “Shell”. As this program is always running it is not trivial to replace. It can be done by making changes to the registry and copying from a clean Windows installation of the same version as the infected machine. You can contact me for details if you find yourself in the same situation.
After cleaning the infection I wish I had experimented to find out more about the virus, i.e. whether it affected other banking establishment websites. If you have any more information about it that you’d like to share please comment!