Amazon Leads Malware Hosts and Getting Worse Reading Time: 2 minutes

From: WBC <info@wbc.com>
Subject: 1 new Payment!

Email content:

Email content

The link “Click here to Sign In Westpac Online Banking” opens the web page: http://stokki.pl/wp-content/themes/twentyfourteen/genericons/web.php.

Stokki.pl web site is registered from Poland and has the following details:

genuine web site

https://www.nazwa.pl/

WHOIS database responses: http://www.dns.pl/english/opiskomunikatow_en.html

When the web page is opened, it redirects automatically to : http://ferhat.com.tr/templates/ferhat12/images/system/West-Log/xls.html where a fake westpac website is hosted.

fake westpac

 

Although the genuine web site looks like:

genuine web site
The site creates a cookie as well:

website cookie
The final site ferhat.com.tr is a Turkish local company, and their website is probably compromised. The whois records show that the domain name is created back in 2000.

Domain names
domain

 

TEST YOUR EMAIL SECURITY