I am seeing quite an aggressive phishing campaign against Bank of America arriving overnight UK time. They all pretend to come from Bank of America < [email protected] > but are actually coming from various servers. I have posted details of 2 that I received. The emails are identical apart for the subject line. There will almost certainly be other similar subjects that I haven’t seen yet.
The subjects I have seen so far are:
Bank of America AlertSign-in to Online Banking Locked
Bank of America Alert: Unlock Your Account Important Message From Bank Of America ®
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Bank of America or accounts.com have not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
You can now submit suspicious sites, emails and files via our Submissions system
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
From: Bank of America <[email protected]>
Date: Wed 17/01/2018 00:12
Subject: Bank of America AlertSign-in to Online Banking Locked
Body content:
To ensure delivery, add [email protected] to your address book.
Online Banking Alert
Online Banking Unauthorized Sign-In
Security Checkpoint: Online Banking Unauthorized Sign-In
Remember: Always look for your SiteKey® before entering your Passcode.
Date: 01/17/2018
As part of our security measures, our system regularly scheduled account maintenance and verification procedures, we have detected a slight error in your online banking information. Our system requires account verification for more security and protection to your account , To confirm this verification Sign-In to your online banking and update your information.
Security Checkpoint: This email includes a Security Checkpoint. The information in this section lets you know this is an authentic communication from Bank of America. Remember to look for your SiteKey every time you sign in to Online Banking.
Email preferences
This is a service email from Bank of America. Please note that you may receive service email in accordance with your Bank of America service agreements, whether or not you elect to receive promotional email.
Contact us about this email
Please do not reply to this email with sensitive information, such as an account number, PIN, password, or Online ID. The security and confidentiality of your personal information is important to us. If you have any questions, please either call the toll-free customer service phone number on your account statement or visit the Bank of America website to access the Contact Us page, so we can properly verify your identity.
Privacy and security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please visit the Bank of America website to read our Privacy Policy. You can also learn how Bank of America keeps your personal information secure and how you can help protect yourself.
Bank of America Email, 8th Floor-NC1-002-08-25, 101 South Tryon St., Charlotte, NC 28255-0001
Bank of America, N.A. Member FDIC. Equal Housing Lender
© 2018 Bank of America Corporation. All rights reserved.
The link in the email http://www.valaskabela.sk/new.php redirects you to http://bankofamerica-com-update-work-new2018.hbdhshjdsjkds.co.uk/d983474dae569d3bdffe8735ae43151a/ (random ID /referral string after the co.uk/ )
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.
Email Headers and web site details:
| IP | Hostname | City | Region | Country | Organisation |
|---|---|---|---|---|---|
| 5.44.105.121 | lax1.idcserver79.net | Los Angeles | California | US | AS29066 velia.net Internetdienste GmbH |
Received: from [5.44.105.121] (port=48780 helo=lax1.idcserver79.net)
by knight.knighthosting.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.89_1)
(envelope-from <[email protected]>)
id 1ebbKM-0004HG-2T
for [email protected]; Wed, 17 Jan 2018 00:11:38 +0000
Received: from alld3s1g by lax1.idcserver79.net with local (Exim 4.89_1)
(envelope-from <[email protected]>)
id 1ebbKL-000rHG-4c
for [email protected]; Wed, 17 Jan 2018 07:11:37 +0700
Date: Wed, 17 Jan 2018 07:11:37 +0700
To: [email protected]
From: Bank of America <[email protected]>
Reply-To:
Subject: Bank of America AlertSign-in to Online Banking Locked
Message-ID: <[email protected]>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ] MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=”iso-8859-1″
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – lax1.idcserver79.net
X-AntiAbuse: Original Domain – victimsdomain.com
X-AntiAbuse: Originator/Caller UID/GID – [514 498] / [47 12] X-AntiAbuse: Sender Address Domain – lax1.idcserver79.net
X-Get-Message-Sender-Via: lax1.idcserver79.net: authenticated_id: alld3s1g/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: lax1.idcserver79.net: alld3s1g
X-Source:
X-Source-Args: /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server
X-Source-Dir: alldesigncorps.com:/public_html/media/media/css
| IP | Hostname | City | Region | Country | Organisation |
|---|---|---|---|---|---|
| 90.156.141.97 | vm555934.vps.masterhost.ru | RU | AS25532 LLC MASTERHOST |
Received: from vm555934.vps.masterhost.ru ([90.156.141.97]:38366 helo=yamed.ru)
by knight.knighthosting.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.89_1)
(envelope-from <[email protected]>)
id 1ebbKF-0004Gv-8A
for [email protected]; Wed, 17 Jan 2018 00:11:31 +0000
Received: from yamed by yamed.ru with local (Exim 4.84_2)
(envelope-from <[email protected]>)
id 1ebbKF-0006ca-Em
for [email protected]; Wed, 17 Jan 2018 03:11:31 +0300
Date: Wed, 17 Jan 2018 03:11:31 +0300
To: [email protected]
From: Bank of America <[email protected]>
Reply-To:
Subject: =?iso-8859-1?Q?Bank_of_America_Alert:_Unlock_Your_Account_Important_Messa?=
=?iso-8859-1?Q?ge_From_Bank_Of_America_=C2=AE?=
Message-ID: <[email protected]>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ] MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=”iso-8859-1″
The website actually hosting the phish is hbdhshjdsjkds.co.uk which was registered on 16-Jan-2018 using what are almost certainly fake details. Registered via Enom and hosted by Bluehost on 162.241.225.135
Domain name:
hbdhshjdsjkds.co.uk
Registrant:
Gebhart Gregg J
Registrant type:
UK Individual
Registrant’s address:
805 RODEO ST
GILLETTE
Wyoming
82718
United States
Data validation:
Nominet was not able to match the registrant’s name and/or address against a 3rd party source on 16-Jan-2018
Registrar:
eNom LLC [Tag = ENOM] URL: http://www.enom.com
Relevant dates:
Registered on: 16-Jan-2018
Expiry date: 16-Jan-2019
Last updated: 16-Jan-2018
Registration status:
Registered until expiry date.
Name servers:
ns1.bluehost.com
ns2.bluehost.com
WHOIS lookup made at 04:17:22 17-Jan-2018