Another new phishing campaign against Bank of Ireland customers

  • by

Quick Sunday evening threat research: this feels like a bit of a deja vu – or maybe it’s a seasonal thing – last year, nearly exactly to the day, I wrote about a phishing campaign targeting Bank of Ireland users.

In an uncanny coincidence, a very similar, new phishing campaign just launched.

Malicious SMS messages are being sent from a spoofed BOI number, containing a link to a domain hosted in Ukraine on IP address 91.214.124.119 – created today…

Bank of Ireland phishing OSINT

The link won’t open on a desktop browser as the website appears to conduct user agent validation only allowing access to mobile devices.

For the same reason, it also evades detection and scanning with urlscan…

But good old VirusTotal still detects it:

https://www.virustotal.com/gui/url/e8a9278d2a9df81b65ebf7174e7517830b4fe280f12d6006253749da8c2ba723/detection

Bank of Ireland phishing OSINT 2

The same IP address hosts two more similar phishing websites:

  • boi-authie[.]com
  • online365-boi[.]com

A quick scan with Shodan reveals a total of 15 open ports – some of which allow direct connection to control panels for the fraudulent domains – not what you would expect to see on a legitimate Bank of Ireland domain, right?

Bank of Ireland phishing OSINT 4
Bank of Ireland phishing OSINT 5

The IP address belongs to a Hong Kong hosting provider Eranet.

Their email address for reporting abuse is support(at)tnet.hk – going to send this article to them now and hopefully this fraudulent operation is taken down promptly.

 

Leave a Reply

Your email address will not be published.