Indonesia Banking Website contains suspicious acitvity

Dear All,

Just want to sharing about this threat,

One of Indonesian Banking which is quite famous in here, the Bank name is Bank Negara Indonesia.

According to the avast WebRep indicator, their website vote as a bad rating. (I attached the avast WebRep results)

Otherwise i tried to scan with Anubis Web Scanner, and there is a summary report about their website which is contains suspicious activity when the victim access to the website then Internet Explorer and Registry configuration will be changed.

Summary report : http://anubis.iseclab.org/?action=result&task_id=1e4b9cce2d0f200f471ff8f343e16d49b&format=html

The suspicious website : hxxp://xxx.bni.co.id

Report 2011-04-01 10:02:35 (GMT 1)
Website bni.co.id
Domain Hash 436c0eec5d58fdc7a3a6f76f3c7594b2
IP Address 175.106.20.1 [SCAN]
IP Hostname ns2.bni.co.id
IP Country ID (Indonesia)
AS Number 46024
AS Name BNI-AS-ID PT. Bank Negara Indonesia (Persero)…
Detections 0 / 21 (0 %)
Status CLEAN

Report 2011-04-01 10:38:18 (GMT 1)
IP Address 175.106.20.1
IP Hostname ns2.bni.co.id
IP Country ID
AS Number N/A
AS Name N/A
Detections 0 / 26 (0 %)
Status CLEAN

Hi Asyn,

Thanks for your information,

Anyway, i also found the same threat at another Banking.

Summary report : http://anubis.iseclab.org/?action=result&task_id=1f11dc2bf896022c421a712ef18795feb&format=html

cheers,

Hi Yanto,Chiang,

The first site was off and has probably been cleansed,

Here the second site you posted on is found to be clean:
web site:
htxp://www.klikbca.com
status:
Site verified to be secure and free of malware.
web trust:
Site not blacklisted.
I get this: status: (referer=www.google.com/trends/hottrends)failure: <urlopen error [Errno -3] Temporary failure in name resolution>
Here you have the source code as seen via Idoproxy: view-source:http://www.idoproxy.com/browse.php?u=Oi8vd3d3LmtsaWtiY2EuY29t&b=34&f=norefer

polonus

From this site I don’t get:
IP Address N/A
IP Hostname N/A
IP Country – (–)
AS Number N/A
AS Name N/A
Only thing I get is:
Domain Hash 920d98f19be2c62ca6cd39ec0cec188d
???

Hi Asyn,

They must have done a cleansing job, look Netirk says it is online, well the site that is:
WWW dot KLIKBCA.COM IS ONLINE :slight_smile:

polonus

Hi Polonus,

Yes, according to WebRep of avast antivirus the status for klikbca.com was cleaned.

But according to Anubis Web Scanner report, there is a suspicious activity such as bni.co.id.

This is very interesting cases.