2017-10-24 - PHISHING WEBSITE TRAFFIC

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-10-24-banking-phish-traffic.pcap.zip   68.4 kB (68,432 bytes)

• 2017-10-24-banking-phish-traffic.pcap   (81,615 bytes)

• Z2017-10-24-banking-phish-traffic.saz.zip   103.9 kB (103,926 bytes)

• 2017-10-24-banking-phish-traffic.saz   (105,657 bytes)

• 2017-10-24-banking-phish-email-and-kit.zip   1.7 MB (1,692,884 bytes)

• 2017-10-24-phishing-email-0651-UTC.eml   (3,999 bytes)
• bankalhabib.zip   (1,690,437 bytes)

 

EMAIL

Shown above:  Screenshot from the email.

 

EMAIL INFO:

• Date:  Tuesday, 2017-10-24 06:51 UTC
• From:  Bank AL Habib Limited <heather.lee@vanderbilt[.]edu>
• Subject:  BAHL Internet Banking - Update
• Link in the email for phishing page:  hxxp[:]//byrangkai[.]com/options/

 

TRAFFIC

Shown above:  Traffic filtered in Wireshark.

 

Shown above:  Traffic filtered in Fiddler.

 

ASSOCIATED TRAFFIC:

• hxxp[:]//byrangkai[.]com/options/
• hxxps[:]//www.rentech[.]com[.]tr/wp-admin/css/bankalhabib/T001/banking.php
• Various other URLs starting with: hxxps://www.rentech[.]com[.]tr/wp-admin/css/bankalhabib/T001/

 

FILE HASHES

PHISHING KIT:

• SHA256 hash:  ca5982eb9d87444d2a9d6a92e4f0d75a19b0ea271e01c6769d86df417f139a78
  File size:  1,690,437 bytes
  File name:  bankalhabib.zip
  File location:  hxxps[:]//www.rentech[.]com[.]tr/wp-admin/css/bankalhabib.zip
  File description:  Phishing kit for fake Bank AL Habib Limited (BAHL) on-line banking page

 

IMAGES

Shown above:  Screenshot of the fake banking page.

 

Shown above:  Fake banking page asks for further info.

 

Shown above:  Open directory where I found the phishing kit.

 

Shown above:  Email addresses the captured credentials are sent to.

 

Click here to return to the main page.