Joining the league of local banks victim of phishing attacks, Bank One makes an entry. I received an email appearing from [email protected]; naturally the email didn’t originate from the bank’s servers.

bankone-phishing

Received-SPF: none (google.com: [email protected] does not designate permitted sender hosts) client-ip=103.23.xxx.xxx; Authentication-Results: mx.google.com; spf=none (google.com: [email protected] does not designate permitted sender hosts) [email protected] Received: from fisika by eagle.fpmipa.upi.edu with local (Exim 4.85) (envelope-from <[email protected]>)
Extract from email header

I think I gotta stop talking about SPF and DKIM now, as the local banks don’t feel at all concerned about leveraging their security and fight email forgery.

The email contains a link on the text AccountStament.df which would open to a fake page appearing like Bank One’s website. At the time of writing the web host has suspended that account, therefore the page isn’t available.

Nevertheless, phishing attackers would continue sending these emails while hosting pages on other compromised servers.


Update #1

An Indonesian university website was compromised and used to send the phishing emails.

upi-edu-hacked