MA-092.052005: MyCERT Special Alert - Hong Leong/Bumiputra Commerce/AmBank Group/Alliance Bank Phishing Email
Original Issue Date: 19th May 2005
2nd Revision: 20th May 2005
MyCERT received several reports this morning from users within our constituency regarding the circulation of a suspicious email. A copy of the email as received by users is attached below:
========Copy of the Suspicious Email=============
From: Online Banking
Sent: Thursday, May 19, 2005 12:41 PM
Subject: Hong Leong/Bumiputra Commerce/AmBank Group/Alliance Bank
Dear Hong Leong/Bumiputra Commerce/AmBank Group/Alliance Bank Member,
This email was sent by the Bank server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your Hong Leong/Bumiputra Commerce/AmBank Group/Alliance Bank online access details. This is done for your protection - because some of our members no longer have access to their email addresses and we must verify it. To verify your e-mail address and access your account, click on the link below:
If You Have Hong Leong Bank Account: http://www.hlb.com.my/Y83fyKAxkpo6h2fc9nij
If You Have Alliance Bank Account: http://www.alliancebank.com.my/euDs4yqktp3iz7c290ka
If You Have Bumiputra Commerce Bank Account:
If You Have AmBank Group Account: http://www.ambg.com.my/qxKM1RujhH7t87j06o0u4
MyCERT had analysed the the full header of the email and our analysis indicates the above email is a phishing email, which is currently circulating within our constituency. The phishing email requests users/recipients to login to the links attached in the email for each victim banks.
Once clicked on the link given in the email, it goes to a Google search string link which then re-directs to the phishing site that prompts to a pop-up window requesting users to enter their username and passwords of their internet banking account and to the genuine website of the bank.
Our analysis indicates the phishing sites of the four victim banks are hosted on a single machine with the IP address 18.104.22.168 located in Russia. Listing are the addresses of the phishing sites:
MyCERT recommends the followings:
To install pop-up blocker at their browsers using i.e. Google Toolbar, Yahoo Toolbar.
Users who are using Windows XP are advised to upgrade to Service Pack 2 as SP2 comes with pop-up blocker.
Service Pack 2 for Windows XP, can be downloaded:
Not to respond to the email and delete the email received immediately.
Please send the full header of the phishing email received to us for analysis purposes, if the email has not been deleted.
To retrieve full header, please refer at:
Once you had retrieved the full header and sent to MyCERT, you are advised to delete the email.
Oragnizations may consider blocking the phishing site's IP address 22.214.171.124 and the domain mdnryugj.pisem.net at their gateway temporarily.
NOTE: In addition, MyCERT has immediately notified the relevant parties in Russia to shutdown the phishing site.
MyCERT advise users who receive any such emails in the future to report to us for analysis and verification purposes.
MyCERT can be reached for assistance at: