Quick Sunday evening threat research: this feels like a bit of a deja vu – or maybe it’s a seasonal thing – last year, nearly exactly to the day, I wrote about a phishing campaign targeting Bank of Ireland users.
In an uncanny coincidence, a very similar, new phishing campaign just launched.
Malicious SMS messages are being sent from a spoofed BOI number, containing a link to a domain hosted in Ukraine on IP address 220.127.116.11 – created today…
The link won’t open on a desktop browser as the website appears to conduct user agent validation only allowing access to mobile devices.
For the same reason, it also evades detection and scanning with urlscan…
But good old VirusTotal still detects it:
The same IP address hosts two more similar phishing websites:
A quick scan with Shodan reveals a total of 15 open ports – some of which allow direct connection to control panels for the fraudulent domains – not what you would expect to see on a legitimate Bank of Ireland domain, right?
The IP address belongs to a Hong Kong hosting provider Eranet.
Their email address for reporting abuse is support(at)tnet.hk – going to send this article to them now and hopefully this fraudulent operation is taken down promptly.