TOKYO (MacHouse) – There have been multiple phishing attacks against American financial institutions for the past 45 hours. The PayPal phishing website that we reported yesterday wasn’t the only one. There was another phishing e-mail message that went around at the same time. This spam message was used to advertise a phishing website targeting HSBC, one of the world’s largest financial groups. (See Screenshot 01.) The phishing website was taken down before we launched an investigation.
 Screenshot 01 – Source: MacHouse |
 Screenshot 02 – Source: MacHouse |
 Screenshot 03 – Source: MacHouse |
There is an active phishing website targeting Bank of America. A phishing message arrived at junk913@gmail.com more than 44 hours ago. The title of the message is
Bank of America Alert Message from Customer Service (See Screenshot 02.)
The message says that message recipient’s bank account has been accessed by different terminals and urges him or her to log in their account by clicking on a hyperlink that says Sign in to Online Banking. The underlying link is
http://www.urspace.com.au/menu/bankofamerica.com/updateinformation/
details.cgi/updating.cfmpage=corp_bofacom/signon.php?
section=signinpage&update=&cookiecheck=yes&destination=nba/signin/
(A continuous URL is split into three parts.) Clicking on the link, one will be forwarded to a phishing website hosted at the domain of urspace.com.au (The phishing website was active at the time of investigating this phishing incident.)
Let’s see where the message comes from. Screenshot 03 shows the HTML source code of the phishing message. The return path and reply address are both set to Online@bankofamerica.com. But that’s not where the spam message originates. The source code indicates that the spammer used an account at Portail Orange (orange.fr), a popular French portal. The user name may be mwinf2113. The source code also reveals that this account was accessed from Morocco. (The IP address of 81.192.34.66 is traced to a network in Morocco.) However, chances are that the spammer originally comes from Eastern Europe, as indicated by the time stamp, which is 2 hours ahead of GMT.
 Screenshot 04 – Source: urspace.com.au |
 Screenshot 05 – Source: Alexa |
Screenshot 06 – Source: MacHouse |
Now, let’s see where the phishing website is hosted. The domain is urspace.com.au. If you access this domain, you will reach a suspicious website with no sign of traffic. (See Screenshot 04.) According to Traffic Details, there is indeed little traffic to this website. (See Screenshot 05.) We don’t know exactly who has set it up. An important fact is that an active phishing website is there to target Bank of America’s online banking users. In the meantime, it appears that this website is hosted in Australia, probably around the Melbourne area because the web server can be traced up to a network run by a company called Pacific Internet Pty Ltd, which is located in Melbourne, Victoria.
 Screenshot 07 – Source: urspace.com.au |
 Screenshot 08 – Source: urspace.com.au |
 Screenshot 09 – Source: urspace.com.au |
If you access the URL shown above, you will see Bank of America phishing website content. There is nothing special about it. If you enter a location and an online ID, you will be requested to provide more personal information. (See Screenshot 07-12.) What’s more important is that the organized cyber criminal group has left an important piece of information that leads us to figure out how this phishing website has been installed. We will get to that in several hours. What a bunch of stupid cyber criminals…
 Screenshot 10 – Source: urspace.com.au |
 Screenshot 11 – Source: urspace.com.au |
 Screenshot 12 – Source: urspace.com.au |
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Phishing Alert: Yahoo May Be Hosting a PayPal Phishing Website – Part 2
Phishing Alert: Yahoo May Be Hosting a PayPal Phishing Website – Part 1
