Select Page

Cyren Security Blog

How to Identify Common Phishing Link Scams

Earlier this month, we witnessed a phishing link attack on CIMB Clicks bank customers in Malaysia which combines some common social engineering techniques (scare tactics) with some newer technical misdirection techniques (tinyurl). We decided to provide a detailed blow-by-blow on how this particular tinyurl scam worked.

The CIMB Clicks site, which is the online banking portal for CIMB bank, offers customers online banking, insurance, and share trading services. Customers can also pay bills, inquire about account balances, and conduct various other financial transactions.

Common Phishing Link Scamming Tactics Used

The CIMB Clicks phishing scam employs two increasingly common techniques to entice the victim into participation. First, the language in the attached documents attempts to ‘scare’ the customer into thinking that access to their CIMB accounts has been restricted. Second, the scam obfuscates the fake phishing link by converting it into a shortend URL using a URL-shortening web service, like tinyurl.

Cyren detects these phishing documents as: “XML/Phish.H “ for the fake MSWORD CIMB Document and “PDF/Phish.EVZ “ for fake PDF CIMB Document.

Cyren Analysis—CIMB Clicks Phishing Link Scam

The following images show what the fraudulent MSWord and PDF documents look like when opened by the recipient.

Figure 1: Fake MSWORD CIMB Document

Figure 2: Fake PDF CIMB Document

HTTP Redirection Using URL Shortening Web Service

Clicking the highlighted URL link leads to the following HTTP redirection (Figure 3 below). You will notice that the URL link appears as a shortened URL via “”. Increasingly, we are noticing that criminals are obfuscating their malicious links using URL-shortening web services, such as and By using the shortened URL, the criminal is able to prevent the victim from hovering over the link to see that the URL destination is not actually the one intended.

Figure 3: HTTPLog Redirection

A Neverending Loop

Following is the process once the victim arrives on the Fake CIMB Clicks site (Figure 3). Notably, during the last phase, there is an infinite loop while capturing the email address.

Figure 4: Infinite loop in the fake CIMB Clicks credentials capturing process

The phishing domains lead to these IP addresses which belongs to OVH Hosting and which belongs to “” as seen in the images below.

Figure 5: WHOIS IP of Phishing Domains

In addition to implementing strong email gateway security which can prevent phishing emails from reaching users in the first place, and is also capable of further blocking access to phishing links as a second layer of protection, as always Cyren encourages anyone to “think before you click.” If you suspect fraud, type the address of your financial institution directly into your web browser.

If you don’t have strong phishing protection, we also recommend blocking the IP addresses and

You might also like

Square Enix Phishing Campaign

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021. During this period, we detected a total of 47,076 URLs for...