Big name brands are big phishing targets. Why? Because they are well recognized by many consumers. When an email claims to be from Bank of America, even non-Bank of America consumers recognize the name. And familiarity breeds confidence so users are more likely to click on links. So, when our Threat Detection Center recently encountered a Bank of America phishing email, we decided to look behind the scenes.
A quick technical review highlights an immediate red flag. The sending email domain is kompass-gbl.de, a domain with no indication of any association with Bank of America. Further, the domain is hosted by hosting-core.de, yet another entity not normally associated with Bank of America.
Moving on to the email itself, there are two immediate indicators of suspicion. A simple issue, yet one that would skip the notice of most users, is the salutation of “Dear Client”. In legitimate Bank of America messages, we see many uses of Dear Member or Dear Customer, but never “Dear Client”. While there is no guarantee that Bank of America has never used “Dear Client”, it is highly suspicious compared to other samples we’ve seen.
Next is the lack of any information identifying the debit card in question. Again, comparing against valid Bank of America samples, we generally see at least a few of the debit card numbers included to help the recipient validate which card is in question. Similar to “Dear Client”, this is likely to skip the notice of most unsuspecting users.
Evaluating the links is where things get very interesting. In the example shown below, most of the links point to valid web sites. Clicking a link and ending up at Walmart.com, for example, would surely increase the apparent validity of the email. Even the Equal Housing Lender link points to what may have been, at one time, a valid Bank of America web page. But click “No” to indicate the suspicious charges are not valid, and the user is redirected to a compromised WordPress site at enhauteenergyservices.com. The compromised WordPress site redirects the user to heberjahiz.com, hosted in the Netherlands.
Simple approach taking advantage of a well-known brand. Nothing intrinsically new, but it does illustrate that even the oldest techniques are still effective.