As I was doing my routine of going through my inbox, I found a phising site for the Bank of America. Looking into the actual email, I found a Korean site masked within the phishing link.

From the email, the link hxxps://sitekey.bankofamerica.com/cgi-bin/sas/enrollWithDebitCard.do?state redirects to the the following URL, which is the phished site of Bank of America:

hxxp://blocho.com/image/owner/wysiwyg/images/banners/cgi-bin/us/update.info/bankofamerica.alert/login.aspx/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin

This site poses as a legitimate site for the Bank of America to lure their customers into disclosing their online banking ID with their corresponding states – which limits the targets only to North America. When a customer tries to sign in to the said site, he is advised that the ID he entered is invalid. The site http://blocho.com is actually local to Korea, as seen in its domain registry details below:

———————————————–
Myung San Jun msjun@nate.com +82.1062969485
Myung San Jun
604-902
Sinnae Apt,Sinnae Apt,KOREA, REPUBLIC OF 131130

Domain Name:blocho.com
Record last updated at 2007-11-28 02:35:31
Record created on 2006/5/25
Record expired on 2008/5/25

Domain servers in listed order:
ns1.zzori.com ns1.staredong.com

This site appears to be legitimate, except for the specific tier where the redirection/phishing occurs. The specific part of the said site was already tagged as phishing by Trend Micro Web Reputation Services.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!