As I was doing my routine of going through my inbox, I found a phising site for the Bank of America. Looking into the actual email, I found a Korean site masked within the phishing link.

From the email, the link hxxps://sitekey.bankofamerica.com/cgi-bin/sas/enrollWithDebitCard.do?state redirects to the the following URL, which is the phished site of Bank of America:

hxxp://blocho.com/image/owner/wysiwyg/images/banners/cgi-bin/us/update.info/bankofamerica.alert/login.aspx/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin

This site poses as a legitimate site for the Bank of America to lure their customers into disclosing their online banking ID with their corresponding states – which limits the targets only to North America. When a customer tries to sign in to the said site, he is advised that the ID he entered is invalid. The site http://blocho.com is actually local to Korea, as seen in its domain registry details below:

———————————————–
Myung San Jun msjun@nate.com +82.1062969485
Myung San Jun
604-902
Sinnae Apt,Sinnae Apt,KOREA, REPUBLIC OF 131130

Domain Name:blocho.com
Record last updated at 2007-11-28 02:35:31
Record created on 2006/5/25
Record expired on 2008/5/25

Domain servers in listed order:
ns1.zzori.com ns1.staredong.com

This site appears to be legitimate, except for the specific tier where the redirection/phishing occurs. The specific part of the said site was already tagged as phishing by Trend Micro Web Reputation Services.