From: WBC <email@example.com>
Subject: 1 new Payment!
The link “Click here to Sign In Westpac Online Banking” opens the web page: http://stokki.pl/wp-content/themes/twentyfourteen/genericons/web.php.
Stokki.pl web site is registered from Poland and has the following details:
WHOIS database responses: http://www.dns.pl/english/opiskomunikatow_en.html
When the web page is opened, it redirects automatically to : http://ferhat.com.tr/templates/ferhat12/images/system/West-Log/xls.html where a fake westpac website is hosted.
Although the genuine web site looks like:
The site creates a cookie as well:
The final site ferhat.com.tr is a Turkish local company, and their website is probably compromised. The whois records show that the domain name is created back in 2000.