2017-10-24 - PHISHING EMAIL, SUBJECT: BAHL INTERNET BANKING - UPDATE
ASSOCIATED FILES:
- Saz archive of the Fiddler capture: 2017-10-24-banking-phish-traffic.saz 110 kB (109,939 bytes)
- Zip archive of the pcap: 2017-10-24-banking-phish-traffic.pcap.zip 68 kB (68,432 bytes)
- 2017-10-24-banking-phish-traffic.pcap (81,615 bytes)
- Zip archive of the email and phishing kit: 2017-10-24-banking-phish-email-and-kit.zip 1.7 MB (1,692,522 bytes)
- 2017-10-24-phishing-email-0651-UTC.eml (3,999 bytes)
- bankalhabib.zip (1,690,437 bytes)
PHISHTANK LINKS FOR THE ASSOCIATED URLS:
- https://www.phishtank.com/phish_detail.php?phish_id=5296951
- https://www.phishtank.com/phish_detail.php?phish_id=5296967
Shown above: Screenshot from the email.
EMAIL INFO:
- Date: Tuesday, 2017-10-24 06:51 UTC
- From: Bank AL Habib Limited <heather.lee@vanderbilt.edu>
- Subject: BAHL Internet Banking - Update
- Link in the email for phishing page: hxxp://byrangkai.com/options/
TRAFFIC
Shown above: Traffic filtered in Wireshark.
Shown above: Traffic filtered in Fiddler.
ASSOCIATED TRAFFIC:
- hxxp://byrangkai.com/options/
- hxxps://www.rentech.com.tr/wp-admin/css/bankalhabib/T001/banking.php
- Various other URLs starting with: hxxps://www.rentech.com.tr/wp-admin/css/bankalhabib/T001/
FILE HASHES
PHISHING KIT:
- SHA256 hash: ca5982eb9d87444d2a9d6a92e4f0d75a19b0ea271e01c6769d86df417f139a78
File size: 1,690,437 bytes
File name: bankalhabib.zip
File location: hxxps://www.rentech.com.tr/wp-admin/css/bankalhabib.zip
File description: Phishing kit for fake Bank AL Habib Limited (BAHL) on-line banking page
IMAGES
Shown above: Screenshot of the fake banking page.
Shown above: Fake banking page asks for further info.
Shown above: Open directory where I found the phishing kit.
Shown above: Email addresses the captured credentials are sent to.
FINAL NOTES
Once again, here are the associated files:
- Saz archive of the Fiddler capture: 2017-10-24-banking-phish-traffic.saz 110 kB (109,939 bytes)
- Zip archive of the pcap: 2017-10-24-banking-phish-traffic.pcap.zip 68 kB (68,432 bytes)
- Zip archive of the email and phishing kit: 2017-10-24-banking-phish-email-and-kit.zip 1.7 MB (1,692,522 bytes)
Zip and saz files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.