2017-10-24 - PHISHING EMAIL, SUBJECT: BAHL INTERNET BANKING - UPDATE

ASSOCIATED FILES:

• Saz archive of the Fiddler capture:  2017-10-24-banking-phish-traffic.saz   110 kB (109,939 bytes)

• Zip archive of the pcap:  2017-10-24-banking-phish-traffic.pcap.zip   68 kB (68,432 bytes)

• 2017-10-24-banking-phish-traffic.pcap   (81,615 bytes)

• Zip archive of the email and phishing kit:  2017-10-24-banking-phish-email-and-kit.zip   1.7 MB (1,692,522 bytes)

• 2017-10-24-phishing-email-0651-UTC.eml   (3,999 bytes)
• bankalhabib.zip   (1,690,437 bytes)

 

PHISHTANK LINKS FOR THE ASSOCIATED URLS:

• https://www.phishtank.com/phish_detail.php?phish_id=5296951
• https://www.phishtank.com/phish_detail.php?phish_id=5296967

 

EMAIL

Shown above:  Screenshot from the email.

 

EMAIL INFO:

• Date:  Tuesday, 2017-10-24 06:51 UTC
• From:  Bank AL Habib Limited <heather.lee@vanderbilt.edu>
• Subject:  BAHL Internet Banking - Update
• Link in the email for phishing page:  hxxp://byrangkai.com/options/

 

TRAFFIC

Shown above:  Traffic filtered in Wireshark.

 

Shown above:  Traffic filtered in Fiddler.

 

ASSOCIATED TRAFFIC:

• hxxp://byrangkai.com/options/
• hxxps://www.rentech.com.tr/wp-admin/css/bankalhabib/T001/banking.php
• Various other URLs starting with: hxxps://www.rentech.com.tr/wp-admin/css/bankalhabib/T001/

 

FILE HASHES

PHISHING KIT:

• SHA256 hash:  ca5982eb9d87444d2a9d6a92e4f0d75a19b0ea271e01c6769d86df417f139a78
  File size:  1,690,437 bytes
  File name:  bankalhabib.zip
  File location:  hxxps://www.rentech.com.tr/wp-admin/css/bankalhabib.zip
  File description:  Phishing kit for fake Bank AL Habib Limited (BAHL) on-line banking page

 

IMAGES

Shown above:  Screenshot of the fake banking page.

 

Shown above:  Fake banking page asks for further info.

 

Shown above:  Open directory where I found the phishing kit.

 

Shown above:  Email addresses the captured credentials are sent to.

 

FINAL NOTES

Once again, here are the associated files:

• Saz archive of the Fiddler capture:  2017-10-24-banking-phish-traffic.saz   110 kB (109,939 bytes)
• Zip archive of the pcap:  2017-10-24-banking-phish-traffic.pcap.zip   68 kB (68,432 bytes)
• Zip archive of the email and phishing kit:  2017-10-24-banking-phish-email-and-kit.zip   1.7 MB (1,692,522 bytes)

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.