Joining the league of local banks victim of phishing attacks, Bank One makes an entry. I received an email appearing from cservice@banokone.mu; naturally the email didn't originate from the bank's servers.

bankone-phishing

Received-SPF: none (google.com: fisika@eagle.fpmipa.upi.edu does not designate permitted sender hosts) client-ip=103.23.xxx.xxx; Authentication-Results: mx.google.com; spf=none (google.com: fisika@eagle.fpmipa.upi.edu does not designate permitted sender hosts) smtp.mail=fisika@eagle.fpmipa.upi.edu Received: from fisika by eagle.fpmipa.upi.edu with local (Exim 4.85) (envelope-from )
Extract from email header

I think I gotta stop talking about SPF and DKIM now, as the local banks don't feel at all concerned about leveraging their security and fight email forgery.

The email contains a link on the text AccountStament.df which would open to a fake page appearing like Bank One's website. At the time of writing the web host has suspended that account, therefore the page isn't available.

Nevertheless, phishing attackers would continue sending these emails while hosting pages on other compromised servers.


Update #1

An Indonesian university website was compromised and used to send the phishing emails.

upi-edu-hacked