Beware of First Bank Phishing Website - Odd Combination of North Korea, Iran and Russia
TOKYO (MacHouse) - About a week ago, we introduced a spam message involving First Bank (First Banks, Inc.). It’s a familiar name for those who live in the State of Missouri, USA. The spam message implied that a phishing website might be hosted at the domain of firstbanks.us-banking.net. The actual URL mentioned in the spam message is http://firstbanks.us-banking.net/olb/. However, the website was not accessible at the time when we visited it.
 Screenshot 01 - Source: MacHouse |
 Screenshot 02 - Source: firstbanks.ebanking-system.us |
 Screenshot 03 - Source: MacHouse |
More than four hours ago, an organized cyber criminal group sent out a spam message implicating First Bank. The title of the message is
Attention - Update your account! 634 (See Screenshot 01.)
Right. It’s the exactly identical spam message we received before. The underlying URL this time is http://firstbanks.ebanking-system.us/olb/. If we try to access this URL, the web browser doesn’t easily access the destination. After more than one minute of waiting… We finally access a phishing website. (See Screenshot 02.)
Let’s see what we get by looking at the source code of the phishing mail message. (See Screenshot 03.) The return path is shown as updateinfo@firstbanks.com. This message is labeled as junk mail by the recipient server. That means, the IP address of the server where message came from and the mail domain indicated in the header don’t match each other. In fact, the IP address of 58.78.239.206 indicated in the header does not belong to the web server of firstbanks.com. Rather, it’s traced to South Korea. On the other hand, the time zone where the phishing message was sent out implies that it comes from the U.K., Portugal, Morocco or Ivory Coast.
 Screenshot 04 - Source: firstbanks.com |
 Screenshot 05 - Source: firstbanks.ebanking-system.us |
 Screenshot 06 - Source: firstbanks.com |
Now, let’s take a look at the phishing website again. If you click on the hyperlink that says Click here, you will be forwarded to an actual webpage of firstbanks.com. (See Screenshot 04.) Let’s go back to the phishing website. Next, let’s click on the button that says Return to Homepage. And you will be forwarded to http://www.firstbanks.com. (See Screenshot 05.) By the way, phishing content is hosted at a directory titled olb. Why olb? What does it stand for? Well, only the web designer of the genuine bank website knows what it stands for. That is, the actual login page of First Bank’s online banking website is hosted in the directory titled olb. (See Screenshot 06.) A major difference is that the genuine login website is accessed through VeriSign’s security protocol. The fake is not. (See Screenshot 07.)
 Screenshot 07 - Source: firstbanks.ebanking-system.us |
 Screenshot 08 - Source: WhoIs.Net |
 Screenshot 09 - Source: Sepanta Communication Development |
Okay. Let’s look up the WhoIs registration of firstbanks.ebanking-system.us. Screenshot 08 shows that domain registrant’s address is
golden fu
terassa 5
Dolgonosov, Hamgyongbuk-do 534234
North Korea
Hmm… That’s kind of interesting. Furthermore, the phone number given by the registrant is 7.234235235. But the country identity number of North Korea is not 7, but 850. The country identity code of 7 belongs to… The Russian Federation and its neighboring countries.
So where is the phishing website hosted? Its web server is traced to that of Sepanta Communication Development Co. Ltd. The IP address is 85.133.206.84. It belongs to an Iranian communications company. (See Screenshot 09.)
Finally, if you provide login information and click on the Login button, you will be be reverted to the same fake login page or a blank one.
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Beware of Phishing Mail / Website Targeting First Banks Customers
********** ********** ********** ********** ********** ********** ********** **********
MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?
Leave a Reply
You are prohibited from posting comments merely to advertise your website. Please read Rules and About This Blog at the top menu bar for more information.
Because of spam-comment criminals, we are forced to manually moderate every comment that you may post. Your comment will appear only after we review and then approve it. It will take us several hours at most to review it.
Please note that all one-sentence comments will be automatically rejected as an anti-spam measure.