Amazon Leads Malware Hosts and Getting Worse Reading Time: 2 minutes

From: WBC <info@wbc.com>
Subject: 1 new Payment!

Email content:

Email content

The link “Click here to Sign In Westpac Online Banking” opens the web page: http://stokki.pl/wp-content/themes/twentyfourteen/genericons/web.php.

Stokki.pl web site is registered from Poland and has the following details:

genuine web site

https://www.nazwa.pl/

WHOIS database responses: http://www.dns.pl/english/opiskomunikatow_en.html

When the web page is opened, it redirects automatically to : http://ferhat.com.tr/templates/ferhat12/images/system/West-Log/xls.html where a fake westpac website is hosted.

fake westpac

 

Although the genuine web site looks like:

genuine web site
The site creates a cookie as well:

website cookie
The final site ferhat.com.tr is a Turkish local company, and their website is probably compromised. The whois records show that the domain name is created back in 2000.

Domain names
domain

 

TEST YOUR EMAIL SECURITY GET YOUR INSTANT SECURITY SCORECARD FOR FREE