Menu button
ZeroGuard Investigative Series: A Case of NatWest Phishing

ZeroGuard Investigative Series: A Case of NatWest Phishing

Monitoring for phishing pages is something we are working on as part of the intelligence ingestion for our platform, and manually digging into cases is often beneficial to better understand what it is we are looking for.

Recently while monitoring for suspicious SSL/TLS certificates being issued (using CertStream), we came across a NatWest phishing site that had just been deployed. It was impersonating NatWest’s “Personal Banking” login page, and takes the victim through a number of steps in order to steal their personal information.

We will walk you through the scam below with screenshots of each step, to show you how it works.

A Case of NatWest Phishing

On the first page, as shown above, you are presented with the digital banking login page, asking for your customer number. It helpfully tells you what format the number is in, and even contains a fraud warning!

A Case of NatWest Phishing

After you provide your “customer number”, you are presented with one of these godawful screens banks like to use, asking for parts of your PIN and password. Banks do this apparently to defeat keyloggers, but it is effectively useless and also hints at them storing authentication credentials in cleartext, or some recoverable/comparable format. We enter some random nonsense and carry on.

A Case of NatWest Phishing

This next part is quite clever - it pitches an “error”, and asks for “some parts of your PIN” again. Note that this time it asks for the 1st, 3rd, and 4th, while the previous screen asked for the 2nd, 3rd and 4th. The attacker now has your full PIN.

They also request your full password on this screen. Throwing an error will usually distract the user just enough to make them not think too hard about this.

A Case of NatWest Phishing

We get sent to another screen now, which asks for further details for “account verification purposes”. All of the information they are requesting is very, very useful to an identity thief.

A Case of NatWest Phishing

To continue verifying our account, we are asked to give the “bank” our card number and other card details, for, uhhh, verification. Users unversed in phishing will figure “the bank has this already, its fine” and hand over the information readily. After all, they need to get into their bank account!

A Case of NatWest Phishing

Now we land on this “Checking” page, which does nothing. It just waits a few seconds and then bounces us to the legitimate Natwest website.

So now that we have walked you through the “user flow” of the scam, lets extract some information from this phishing site. We begin by traversing up a directory, in the hopes that they left something behind… And we strike gold, as seen below.

A Case of NatWest Phishing

In this directory, we notice that the attackers left behind a zip file containing probably the source code of the phishing site. We grab a copy of the zip file to take apart locally to understand how this scam works.

A Case of NatWest Phishing

Upon unpacking the zip file, we find it contains a number of PHP scripts, along with images, fonts, and JS assets. We decided a good place to start would be the PHP scripts.

A Case of NatWest Phishing

In this PHP script, the configuration settings are to be found, including the email address that the stolen data is to be exfiltrated to, whether or not to encrypt the data being sent, and the encryption key for the stolen data. In this case, the attacker chose not to encrypt the stolen data.

A Case of NatWest Phishing

A quick grep for “fopen” shows that the kit not only exfils via email but, as hinted by the config file, stores logs locally on the web server. We decided to have a quick look and see if the logs were web accessible.

A Case of NatWest Phishing

TL;DR: they were. In this screenshot you can see the junk data we entered. Any other attacker aware of this could “scavenge” results from these guys phishing operation.

In conclusion, we were able to rapidly identify an active phishing campaign before it had even received any clicks from “real victims”, extracting a wealth of information from it by identifying a deployment failure on behalf of the threat actor.

While this actor was not the most sophisticated, and the kit itself was clearly cobbled together using copy-paste programming, the risks posed by these adversaries are very real, as is the distress caused to their victims.

We will be writing up more of these in the future, as we work on improving our processes in order to automate a whole bunch of the “work” being performed.


Contact Us

Let’s get talking


Prefer to use email?

Got a security vulnerability to report?

Our PGP key:

FF10 0E66 A141 595D 520F
4384 EB31 36F5 DDDF 39F6

Or you can call us:

Las Vegas
424 363 9262
020 3319 5111
By using this site you agree to the use of cookies for analytics