Analysis of an online phishing attack targeting Bank of America customers

by Cyren Security Blog

The attack begins with a message that comes from a spoofed “Bank of America” sender (such as:  RiskDept@hotmail.com, or RiskDept@msn.com).  See sample below (note the very advanced date):

The attached file, BillingVerification.exe, is a self-extracting archive which contains and automatically loads an html page in the recipient’s browser.  The file saved on the local drive is:

C:bankofamericaverificationBillingVerification.html

The loaded page imitates the real Bank of America site by using images and logos sourced from the original site.   The fake page also gets its stylesheet from the original site to make sure it more closely resembles the real site (see HTML below):

For your convenience – spot the differences between the real and phishing Bank of America pages below:

1. Original Page

2. Fake Page

The phishing page requires the usual personal information including account and online information as follows:

When submitting the page (after filling out all the required information), users will no doubt be surprised at the result – the next page to load will be: hxxp://www.yourtinywaist.com, (not really related to the Bank of America).

The email attachment is detected as HTML/Bankish.NZ by Command Antivirus.

Keep your online accounts safe.

 

Go back