Ghosts of Banking Past

Bank names are so tricksy — they all have similar words in them… and so it’s common to see phishing feeds with slightly the wrong brand identified as being impersonated.

However, this story is about how something the way around has happened, in that AnonGhost, a hacker group, believe that they’ve defaced “Yorkshire Bank, one of the largest United Kingdom bank” and there’s some boasting about this to be found at http://www.p0ison.com/ybs-bank-got-hacked-by-team-anonghost/.

However, it rather looks to me as if they’ve hacked an imitation bank instead! A rather less glorious exploit from the point of view of potential admirers.

To get us all on the same page:

“Yorkshire Bank” is a trading name of Clydesdale Bank plc, a subsidiary of the National Australia Bank Group of companies. Yorkshire Bank joined the Group in 1990. Their website is http://www.ybonline.co.uk/
and it currently looks like this:

Yorkshire Bank front page

There is also the “The Yorkshire” or YBS, which is properly known as the “Yorkshire Building Society” which a member of the Building Societies Association — it’s completely independent. It has a website at http://www.ybs.co.uk/
which looks like this:

Yorkshire Building Society front page

Anyway AnonGhost (a group of hackers who seem to specialise in defacing websites and regularly publicise their success at this) have defaced the website http://ybs-bank.com/ which now looks like this (the real thing is animated, but I cannot recommend visiting it, since there might conceivablly be malware present):

Defaced front page of ybs-bank-com-defaced.png

and (according to Google cache) this page used to look this this:
Older version of ybs-bank.com website

according to other parts of the website (which are not defaced) this is the website for “Yorkshire Bank” which it says is a trading name of Yorkshire Banking Society PLC, a member of the National Australia Bank Group.

So you can see why AnonGhost might believe that they had hacked “Yorkshire Bank” (or possibly “Yorkshire Building Society”).

Looking at the Whois registration data for the defaced domain we can discoverthat it is currently owned by James Edward, a resident of Puchong, Malaysia (a city 6600 miles from Leeds (Yorkshire), getting on for 8 days driving time) and the domain was created in 2011. The pages appear to be an imperfect copy of www.cbmarkets.co.uk (a Clydesdale bank website) and this copy was was made some time in 2011, judging from the age of the news stories in the copy.

I have no reason to believe that anything good would happen to a Yorkshire Bank user (or a Yorkshire Building Society) user who used their credentials at the Malaysian owned website … so it’s rather hard to say whether having it defaced is detrimental to anyone living within a few hundred miles of Leeds.

However, given the widespread claims now being made about AnonGhost’s success, it’s probably not doing the real Yorkshire Bank many favours, since it takes a bit of checking to avoid making the same mistake that AnonGhost have.

According to Whois the ybs-bank.com domain didn’t exist before 2011 … an observation I only make because Tyler Moore and I have just published a paper on what happens to banking domains when they become surplus to requirements after a bank failure or a merger. The answers aren’t too pretty when the bank releases them, and there is certainly scope for criminals to do some impersonation. So in the paper we recommend that the regulator (FDIC is the relevant regulator for the US banks we looked at) step in and ensure that domain names are not let go when they could still, in the wrong hands, pose a danger to the public.

However, policing sites that impersonate real banking domains is much more straightforward situation to understand and it’s a situation that regularly occurs — the difficulty is generally in learning that the sites exist. In this case, fortunately for Yorkshire Bank, AnonGhost is helping them out!

Leave a Reply

Your email address will not be published. Required fields are marked *