Did scammers take control of a subdomain to host phishing site?

Question

This morning I received a text message (ostensibly) from my bank:

We need to contact you. Please visit https://paymentassistance.nationwide.co.uk for more information

My spidey sense immediately tingled. I've never received an SMS from my bank before, and when they email me they always use my name and post code. However nationwide.co.uk is the correct domain for my bank. Out of curiosity (and with a healthy scepticism) I typed the URL on my computer.

Is it a phishing site?

1. It uses the same theme and colours as the familiar website http://www.nationwide.co.uk
2. It has a https URL (certificate from Symantec)
3. It has links to the familiar website in its footer, but its own version of the 'contact us' page with an alternate phone number 0800 464 3050. Compare https://paymentassistance.nationwide.co.uk/doc/contactUs with http://www.nationwide.co.uk/support/contact-us/call-us#xtab:credit-cards
4. That phone number only appears on that page and not on the familiar website or elesewhere on the web. It differs from the number printed on my card (0800 055 66 11)
5. The form asks for your name, address and last four digits of your credit card number (not the whole thing)
6. If you try to login (I used made up data) it fails and asks you to phone them (on the suspicious number)
7. If you phone the number a recording answers "Welcome to Nationwide credit card services. Your call may be recorded for quality and training purposes."
8. The recording then asks for all 16 digits of your credit card number.
9. After entering a made-up 16 digit number, a friendly lady calling herself Kelly answered the phone. I hung up.

If this is phishing, I don't understand:

1. How did scammers take control of a subdomain? Have they hacked Nationwide's computers? (DNS servers?)
2. How did they get an SSL certificate for it?

---

It looks like this page has been running since at least January 2014:

• http://www.unknownphone.com/search.php?num=02033222992
• http://www.cookham.com/cookhamnow/bustrain/police/crime20140129.htm
• https://twitter.com/sophielambrakis/status/464730297838604288

The Twitter user asked the bank about it, but they didn't reply.

Answer 1

By the looks of things, assuming that the link you've provided is correct, they didn't.

By using the Nationwide website (as accessed by typing in the domain name manually, to preclude any similar character attacks), and using the search function (http://www.nationwide.co.uk/search?term=payment%20assistance), that subdomain showed up in the list of results.

The link for the second result is https://paymentassistance.nationwide.co.uk/

The general approach when it comes to things like this is to do this - search and check that the address you are using is correct (if you have paperwork from the organisation with the address on, even better). Type it in, rather than following the link, just in case. If they have a search engine, look for whatever is suspicious, and if it turns up, chances are, it's legitimate. You can also try phoning them, or popping into your local branch, in the case of a bank, to verify this.

Additional informationI contacted Nationwide via their online banking contact section, and got the following response:

Completely understand how this could cause you some concern.

Don't worry, this is a genuine Nationwide website.  This is from our Credit Card Services as they're most likely wanting to double check a payment with you.  It's completely safe for you to go ahead and complete this.

If you're a little uneasy about completing this online, please can I ask that you give our Credit Card Services a call directly.

If you are still concerned, I suggest contacting then in this way!

Answer 2

I'm skeptical that paymentassistance.nationwide.co.uk is a legitimate* site operated by Nationwide Building Society (the operators of nationwide.co.uk).

Doing a few DNS queries: The A record for paymentassistance.nationwide.co.uk points to 80.69.23.142. The A record for nationwide.co.uk points to 155.131.144.11.

Digging deeper into the BGP routing for these two IP's: 155.131.144.11 is in AS blocks AS13114 and AS8698 - both of which are assigned to Nationwide Building Society by RIPE. 80.69.23.142, on the other hand, is in AS block AS21371, which is assigned to 'Equinix Limited' by RIPE. Equinix Limited appears to be company in the data center business, and a provider of cloud servers, web hosting, etc.

It's possible that Nationwide Building Society could have outsourced the hosting of paymentassistance.nationwide.co.uk to Equinix Limited, but it would be surprising given that they are hosting nationwide.co.uk using their own IP space.

If in fact paymentassistance.nationwide.co.uk is a rogue site, it's curious how the people running this site managed to get control of this hostname, and how they were able to get a valid certificate for this site - as you pose in your question. Of course, any answer to these questions is conjecture, but one possibility is that it could have been an inside job by an employee at Nationwide Building Society, or the attacker could have had help from an employee at Nationwide. Or, an attacker could have gained access to the DNS for nationwide.co.uk (perhaps through a social engineering type of attack on a sysadmin at Nationwide, or perhaps by gaining control of a sysadmin's computer) - and hence the attacker could have created the paymentassistance.nationwide.co.uk and gotten a domain-validated SSL certificate for this hostname. OR, paymentassistance.nationwide.co.uk could simply be operated by a subcontractor of Nationwide Building Society, as NReilingh astutely pointed out in his comment.

*Edit: 'legitimate' stricken in first paragraph in response to NReilingh's comment.