At least a couple of security experts from TrendLabs Manila have received emails supposedly coming from a local bank, the United Coconut Planters Bank (UCPB). The email messages were immediately considered suspicious as the recipients were not members of the said bank. These messages also employed the usual tactic of warning recipients that unauthorized attempts were made to log in to their online accounts (which are in reality non-extant), possibly by third parties with malicious intent.

Clicking on the link within the email leads users to either of the following sites:
http://www.{BLOCKED}1.org

http://www.{BLOCKED}1.biz

Both look pretty much the same, with a news feature about a recent partnership with an Indian BPO (Business Process Outsourcing/Outsourcer) and even an advisory that warns against a certain company using the bank’s name in other doubtful dealings. Needless to say, these are phishing sites that aim to collect banking credentials from unwitting users.

The Login button on the left column of the sites directs users to this spoofed login page:

This is not the first time that Philippine banks have been targeted by phishers. Early this year, two major Philippines banks also fell victim to phishing scams: the Bank of the Philippine Islands (BPI) on February 2 and Equitable PCI Bank on February 7.

Trend Micro customers, especially in the Philippines, have no reason to worry as these domains are now blocked by the Content Security (CS) Web Blocking Team. The CS Team is also on the lookout for more of the same domains that target UCPB users and non-users alike.

Thank you to Project Manager Menard Osena for the heads-up.

Additional information provided by CS Team Leader Jenifer Olaco and CS Web Blocking Engineer Aivee Cortez.