top of page
  • OpaCyber

Unauthorized activity detected! Online Banking Scam

Here's an email we recently caught in our nets and the red flags to watch out for if you receive something similar:

  1. Red flag 1 🚩: Allied Irish Banks (for those who may not know 😊) is valid, and one of the largest banks in Ireland. Bit of a strange email address though, isn't it? 🤦‍♂️

  2. Red flag 2 🚩: the "To:" is the recipient's email address, but so is the "Dear". A valid email would use either first name, or first name & surname. Any time an email address is used when being addressed should be treated as suspicious. It usually means it has either been scraped from a website or disclosed in a "data dump" of a compromised database

  3. Red flag 3 🚩: Ah, one of the classic social engineering tricks - fear. Designed to make you leave your thoughtful brain behind and resort to your lizard brain 🤣 Also, note the mis-spelling of "below" as "bellow"

Credential Harvesting Attack! What's it all about then?

This is a credential harvesting attack. The link doesn't go to AIB but to another site. There, once you have entered your banking credentials it will either just fail, or re-direct you to the real login page where you would have to enter your credentials once again (*1). Meanwhile your login information has been recorded and is probably already being used

*1 This should be a Red Flag 🚩Stop and immediately contact your bank

This type of "html obfuscation" is easy to do (well..) like this:

If you do choose to click that link, it's safe but, there's no free beer as it goes to the website of the US National Security Agency (NSA). We can't say for sure but we don't think they give out free beer 🤣 🤣

So, where is the link actually going? We went down that rabbit hole to show you 🤣

The link goes to a page like this, which is a replica of a correct AIB page:

EXCEPT, the url is some random numbers (dot) domain (dot) a re-direct. So a sub-domain of a website that looks to have been compromised and where the bad actors are launching their attack

Also that page on the real website doesn't correspond to the link provided in the phishing email. The phishing email link (if real) would go to AIB's home page:

The REAL login page on the website has a different url:

Finally, we followed the url that hosted the phishing page (in a safe manner) and it didn't resolve 🤦‍♂️

However, when we took out the sub-domain and re-direct and went to the main domain we got this:

Fortunately, even if the credentials were phished there is a good chance this wouldn't work as AIB ping the customer's mobile app for verification when someone tries to log in. As long as they just don't hit "approve" by mistake! 🤦‍♂️

Stay safe out there!!


Os comentários foram desativados.
bottom of page