Banking: SBI Mauritius Phishing

April 2, 2015

The latest candidate to join the league of famous Banks who allowed their domain name to be phishing-friendly is SBI Mauritius.

Today an email was dropped in my spambox as follows:

sbi-mauritius-phishing

Dissecting the email header showed the source being a VPS from deployis.eu, a hosting provider.

Received-SPF: none (google.com: www-data@vps026.deployis.eu does not designate permitted sender hosts) client-ip=xx.x.124.26; Authentication-Results: mx.google.com; spf=none (google.com: www-data@vps026.deployis.eu does not designate permitted sender hosts) smtp.mail=www-data@vps026.deployis.eu Received: by vps026.deployis.eu (Postfix, from userid 33) id 531FD3A844; Thu, 2 Apr 2015 11:24:05 +0200 (CEST) Date: Thu, 2 Apr 2015 11:24:05 +0200 To: ish@legacy.hacklog.in From: =?UTF-8?Q?SBI_Mauritius?= Subject: =?UTF-8?Q?Dear_SBI_Mauritius_Customer=2cYou_Have_A_New_Message?= Message-ID: <8d08f153c4e382e1773c2de47d9d5a42@www.gallerydiabolus.com>

The VIEW YOUR MESSAGE link opens up a page that appears identical to an “online banking login page” that pretends to be SBI Mauritius.

sbi-online

However, the real SBI online banking page looks different than the above. It is hosted under www.onlinesbiglobal.com which is a centralized online banking facility for SBI Worldwide.

Previously, we saw phishing attacks using the domain name of MCB Ltd, Bank One, ABC Banking Corporation and the Public Service Commission of Mauritius.