HackDig : Dig high-quality web security articles for hackers

TESCO Online Banking / Credit Card Customers: Watch where you’re logging in

2014-08-15 09:18

If you do your online banking with TESCO, or indeed have a credit card with them you may want to be on the lookout for the following website which is hosting a rather large tally of login pages. The site in question is


and that particular site was flagged not so long ago in the Zone-H defacement mirror, with “KEST” compromising it on or around the 15th of October, 2013.


Click to Enlarge

Here’s 100 or so identical HTML pages in one directory offering up a TESCO credit card login:


Click to Enlarge

...a lot...

Click to Enlarge

...of pages.

Click to Enlarge

All of the above pages present end-users with the following login screen:

Credit card login page

Click to Enlarge

The page asks end-users to login to “Tesco bank online banking” with “credit card” mentioned in the top right hand corner. After entering a username, the page asks for more information in two stages:

Stage one...

Click to Enlarge

“Login with Internet PIN, password, cvv2 and email”

The next page asks for considerably more information:

Getting personal..

Click to Enlarge

First name, last name, middle name, mother’s maiden name, house number, postcode, mobile and landline, DOB, 16 digit account number…

Rounding things off.

Click to Enlarge

….expiry date, cvv2, 6 digit security number and no less than three security questions.

In another directory, we have much the same thing – 100 or so pages of Tesco login portals:

Login pages galore

Click to Enlarge

These pages are slightly different from the ones in the first directory, with mentions of credit cards removed – the focus here being on the online banking portion (tescobank(dot)com).

Online banking.

Click to Enlarge

It follows much the same pattern as the pages in the other directory, as you’d expect.

Yet more information.

Click to Enlarge

It goes without saying – so I’m going to say it – that you should only ever log in on the homepage of your bank or credit card. Visiting it from URLs in emails or random messages sent your way just won’t cut the mustard – physically type in the URL, ensure there’s a padlock and the connection is encrypted. You won’t find padlocks or encryption on the above pages, for example.

No encryption

Click to Enlarge

Here’s the tescobank website. Note the green bar, which you can click to confirm you’re on the real site and the connection is secure:

The real deal

Click to Enlarge

I note since I started to write this entry that the site is now flagged as a confirmed Phish on Phishtank. Hopefully the admin will be able to fix up whatever lingering problem remains and set about a rather large clean-up operation…

Christopher Boyd

The post TESCO Online Banking / Credit Card Customers: Watch where you’re logging in appeared first on ThreatTrack Security Labs Blog.

Source: /w8dyp-4cISc/3~/ytiruceskcarttaerht/r~/moc.elgoog.yxorpdeef

“TESCO Online Banking / Credit Card Customers: Watch where you’re logging in”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud