Suspicious external resource in SBI netbanking page

[nimod]

Hi,

After about a week I opened SBI online banking page and saw little modified interface. I got alert.
Suddenly at the bottom of browser window I saw ''loading monstat.com...''
monstat.com?! I had never observed that thing ever hence I did't log in.
Then I opened the firefox dev tool and checked GET/POST data for this domain.
Its GETting:
https://monstat.com/sbi.png?du=https://retail.onlinesbi.com/retail/login.htm&dr=&rr=0.5172883058151458
[rr] parameter value changes with each reload.
And monstat.com reponses with some invalid data (attachement: monstat.com response).
monstat.com itself responds with a blank page.
I checked domain info for monstat.com and found it more doubtful.
The monstat.com resource is not being directly called by html or javascript (I check the source of page, each js/css file).
Very probably some obfuscated js code is calling monstat.com.

I find it intrusive at a very wrong place and can compromise consumers security.
Even if SBI argues it could be for collecting user stats, for me its totally unacceptable.
They already collect a wealth of user stats (time/ip/activities/what not) after user logs in.


Are you also observing this thing loading when you open SBI netbanking login page?
Can it be anyway harmful?
I don;t think a bank can alllow such a shody thing on netbanking login page. Whats your view?

 

[nRiTeCh]

Will visit and update later. Was https:// the protocol in the web add?

 

[nRiTeCh]

Was https the protocol uses in web add?

 

[RajeshJ]

http://blogs.quickheal.com/wp/be-careful-when-searching-for-these-dangerous-keywords-online/

few others also reported it in quick heal blog (not sure official blog/unofficial)

they were visiting with https

 

[nimod]

yes, sbionline.com always connects over secure protocol.

 

[krishnandu]

yes, sbionline.com always connects over secure protocol.

It's https://www.onlinesbi.com/

Also I don't fund such GET requests is Chrome Network tab.

Do you mean that or you typed sbionline.com?

 

[nimod]

You are correct, its onlinesbi.com.

 

[logistopath]

Even I get the same in Chrome.

 

[pauldmps]

I suspect it is some kind of malware in your computer. I did not find any such request in Chrome during login.

 

[logistopath]

Checking the page source shows this script:

<script>  
    if(self == top) {      
        document.documentElement.style.display= 'block';  
    }
    new Image().src=document.location.protocol+"//mon"+"sta"+"t.co"+"m/sbi.p"+"ng?du="+escape(document.location)+"&dr="+escape(document.referrer)+"&rr="+Math.random();
</script>

Can anyone make any sense out of it? I have zero knowledge about all these stuff.

 

[nRiTeCh]

Its safe. It has been years I have been loggin in simply to onlinesbi.com from browser.
Just make sure to checks if its Verified by Verisign.
Usually green colors appears before https:// and clicking on that you get the info.

 

[cute.bandar]

Hmm Even I am getting this both in chrome and firefox, and am not sure if its malicious or not.

Can anyone make any sense out of it?

Its creating an image with the path: https://monstat.com/sbi.png and its sending 3 things to the server the current: document URL ,the referrer URL and a random number.
So its probably not sending anything critical back to the server in this request. HOWEVER this text :

+ "//mon"+"sta"+"t.co"+"m/sbi.p"+

is super shady. They are clearly trying trying to hide their sitename .

Also it would be interesting to analyze the image they are sending to the browser (the sbi.png one), that could have shady stuff. The image isn't loading right now..
Could be malicious. Not sure... I'll try posting it to /r/asknetsec . The pros might have an answer.

 

[Lord Nemesis]

Checking the page source shows this script:

<script> 
    if(self == top) {     
        document.documentElement.style.display= 'block'; 
    }
    new Image().src=document.location.protocol+"//mon"+"sta"+"t.co"+"m/sbi.p"+"ng?du="+escape(document.location)+"&dr="+escape(document.referrer)+"&rr="+Math.random();
</script>

Can anyone make any sense out of it? I have zero knowledge about all these stuff.

The first if condition construct is typical frame buster code to stop the page from being loaded in iframes in order to prevent click-jacking attacks.
The second part might just be there as a tracking pixel just to register unique hits to the page.

 

[axeman]

Yup, seems to be a tracker or hitcounter of sorts.

 

[Phenomenal]

I didn't find any of this in my chrome.Is it possible that your device has a malware?
For the last few days,i did observe that some card payments were not being done and it was giving a Failure error related Diffie-Hellman Key algorithm which is implemented for security reasons.No problems in net banking or accessing any accounts.

 

[Lord Nemesis]

^^There is definitely a reference to the monstat.com resource in the index HTML.

Regarding the errors you are facing, if you are using Chrome 45 you will not be able to connect to websites that have not mitigated the Logjam vulnerability. Chrome 45 requires DH key strength of 1024 bit or higher to be set on the server.

 

[Phenomenal]

Wow,i checked it again,this time using console instead of view source.

I will raise this query in the e-learning session by SBI in August next month.
Also sent a mail right to the DGM of Customer Service @SBI for further verification and clarification about this.

^^There is definitely a reference to the monstat.com resource in the index HTML.

Regarding the errors you are facing, if you are using Chrome 45 you will not be able to connect to websites that have not mitigated the Logjam vulnerability. Chrome 45 requires DH key strength of 1024 bit or higher to be set on the server.