New phishing campaign aimed at Bank of Ireland users

  • by

Update 20.07.2020: It appears that all the websites examined below have now been taken down. The urlscan links are dead too.

A new phishing campaign targeting Bank of Ireland users appeared this week.

This is nothing new (apart from the websites, they are new); after all, banking institutions are amongst primary targets for scams like this, simply because not only do the cyber criminals acquire personal data of the bank’s customers through phishing – they can also go after their wallets.

At least two readers contacted me independently this week with evidence that something was up.

Phishing SMS messages like this one were sent to users, prompting them to click on the malicious link.

In some cases, the actual genuine phone number used by Bank of Ireland to communicate with customers was spoofed.

This means that if you have previously received legitimate SMS messages from BOI, the spoofed message sent to you by the scammers would appear in that thread.

Like in the case of this user:

This can be very confusing to some people as it’s easy to conclude that since this message appears in the thread of messages known to be legitimate, it also must be from a trusted sender (the first two messages with one time passwords related to Revolut are genuine).

There are many more malicious domains than just the above two.

The list of BOI phishing domains I identified in the last week or so (in no particular order):

365online-billing[.]com – urlscan here

tickets-boi[.]com – urlscan here

supports-boi[.]com – urlscan here

365serviceupdate[.]com – urlscan here

boi365login[.]co – urlscan here

recover-boi[.]com – urlscan here

security-boi[.]com – urlscan here

secure-boi[.]com – urlscan here

 

.

What do these websites have in common?

  • The majority of the above phishing websites are hosted on Alibaba.com servers in Singapore on the exact same IP address or IP address ranges;
  • They all appeared online for the first time 2-3 weeks ago. Some as recent as 2-3 days ago.
  • They use the free Let’s Encrypt security certificates to appear legitimate;
  • The source code is very similar in practically all of those (simplistic);
  • The input is getting saved into hidden fields.
  • The input validation parameters are also similar.
.

I could be stating the obvious here, but a few important caveats all the same:

  1. Never just click on anything, whether in a text or email.
  2. Always compare the link against the legitimate URL (hover the cursor without clicking).
  3. Bookmark your sites, do not rely on typing in your URLs manually.
  4. If in doubt, check a website using free services like Who.is or CentralOps.
  5. Look for obvious discrepancies there, like the website creation date and where it’s hosted.
  6. Don’t trust emails or texts just because they appear like they came from a legitimate source.

PS. More scammy domains are waiting in situ and we will probably notice them pop up in the near future, once all of the above websites have been shut down…

Leave a Reply

Your email address will not be published.