MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2005

MA-092.052005: MyCERT Special Alert - Hong Leong/Bumiputra Commerce/AmBank Group/Alliance Bank Phishing Email

Original Issue Date: 19th May 2005
2nd Revision: 20th May 2005

MyCERT received several reports this morning from users within our constituency regarding the circulation of a suspicious email. A copy of the email as received by users is attached below:

========Copy of the Suspicious Email=============

From: Online Banking
To: xx@xx.com.my
Sent: Thursday, May 19, 2005 12:41 PM
Subject: Hong Leong/Bumiputra Commerce/AmBank Group/Alliance Bank

Dear Hong Leong/Bumiputra Commerce/AmBank Group/Alliance Bank Member,

This email was sent by the Bank server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your Hong Leong/Bumiputra Commerce/AmBank Group/Alliance Bank online access details. This is done for your protection - because some of our members no longer have access to their email addresses and we must verify it. To verify your e-mail address and access your account, click on the link below:

If You Have Hong Leong Bank Account: http://www.hlb.com.my/Y83fyKAxkpo6h2fc9nij
If You Have Alliance Bank Account: http://www.alliancebank.com.my/euDs4yqktp3iz7c290ka
If You Have Bumiputra Commerce Bank Account:
http://www.channel-e.com.my/QFW64yGxMF34526zv4
If You Have AmBank Group Account: http://www.ambg.com.my/qxKM1RujhH7t87j06o0u4

===============================

MyCERT had analysed the the full header of the email and our analysis indicates the above email is a phishing email, which is currently circulating within our constituency. The phishing email requests users/recipients to login to the links attached in the email for each victim banks.

Once clicked on the link given in the email, it goes to a Google search string link which then re-directs to the phishing site that prompts to a pop-up window requesting users to enter their username and passwords of their internet banking account and to the genuine website of the bank.

Our analysis indicates the phishing sites of the four victim banks are hosted on a single machine with the IP address 81.211.64.115 located in Russia. Listing are the addresses of the phishing sites:

  1. http://mdnryugj.pisem.net/welcome3.html

  2. http://mdnryugj.pisem.net/welcome4.html

  3. http://mdnryugj.pisem.net/welcome5.html

  4. http://mdnryugj.pisem.net/welcome6.html

MyCERT recommends the followings:

  1. To install pop-up blocker at their browsers using i.e. Google Toolbar, Yahoo Toolbar.

  2. Users who are using Windows XP are advised to upgrade to Service Pack 2 as SP2 comes with pop-up blocker.

    Service Pack 2 for Windows XP, can be downloaded:
    http://www.microsoft.com/windowsxp/sp2/default.mspx

  3. Not to respond to the email and delete the email received immediately.

  4. Please send the full header of the phishing email received to us for analysis purposes, if the email has not been deleted.

    To retrieve full header, please refer at:
    http://www.mycert.org.my/en/resources/email/email_header/main/detail/509/index.html

    Once you had retrieved the full header and sent to MyCERT, you are advised to delete the email.

  5. Oragnizations may consider blocking the phishing site's IP address 81.211.64.115 and the domain mdnryugj.pisem.net at their gateway temporarily.

NOTE: In addition, MyCERT has immediately notified the relevant parties in Russia to shutdown the phishing site.

MyCERT advise users who receive any such emails in the future to report to us for analysis and verification purposes.

MyCERT can be reached for assistance at:

Tel: 03-89961901
Fax: 03-89960827
Email: mycert@mycert.org.my
SMS: 019-2813801