Category Archives: Phishing

Hackers target Alodia’s fans via Facebook phishing

Fans of cosplayer and vlogger Alodia Gosiengfiao got targeted in a recent phishing scheme that harvests Facebook credentials. The hacker behind this attack got an idea after followers of Gosiengfiao started sharing their email addresses on her official Facebook Page.

Alodia initially announced on her Facebook Page a public invitation to join the online game Among Us. Her fans freely shared their email addresses on the post which also attracted hackers seeing the pool of accounts that they can phish.

Later that day, Alodia received a number of reports saying they can’t access the link sent to their email accounts. Upon further checking, the hackers are already in the move as they have sent out emails containing a malicious link.

In one of the screenshots shared by her follower, it showed the list of email addresses who received the phishing mail. It came from the Gmail account alodia[.]amongusgame[@]gmail[.]com to which Alodia denied sending. According to the social media star, her official email is alodia[@]gmail[.]com.

The Among Us phishing email asks recipients to join a Facebook Group via an embedded link. This embedded link actually redirects to a Facebook phishing page under this URL: hxxp://amongusgroupchat[.]byethost4[.]com/?id=facebook

Those who have successfully accessed the landing page specially via mobile may not have noticed the URL and have just willingly logged in using their Facebook credentials. Doing this only put their Facebook accounts in danger as the hackers behind this scheme just received their credentials on the backend.

Alodia already apologized to her followers and shared screenshots of the malicious email. Her fans, on the other hand, suggested options where she can securely gather information for any future invitations.

For those who have received the email, clicked the phishing link, and logged in with their Facebook credentials, we strongly suggest to update your passwords and enable 2FA.

As of this writing, Google already blocks the phishing URL.

Related Posts:

BDO smishing continues

New variants of text-based phishing messages aka smishing have been seen recently online with quite a number of netizens posting screenshots of what they’ve received supposedly from BDO.

Earlier this week, BDO released an advisory on their official Facebook page warning their account holders of the increasing reports that they’ve been getting.

Did you receive this scam text? Scammers send out messages like this to thousands of mobile numbers, even to non-BDO customers. Alert your family and friends who may have also received the text.

Be smarter than a scammer. Do not click on this link that asks you to verify suspicious account activity.

Remember: We will never send you links to verify your account or to collect customer information. #BDOAntiScam

BDO Official Facebook Page

These smishing campaigns are not only being sent out via SMS. There were Facebook accounts (allegedly compromised) that were being used to spread the same messages via Messenger.

BDO has been the subject of online bashing for the poor service of their mobile app. This is most likely the reason why the scammers behind this recent surge of smishing targetted the bank.

It is worth noting as well that the people behind this scam is also the same ones targeting UnionBank customers. One netizen shared a screenshot of an SMS he received last month supposedly from UnionBank. The same sender also sent a message with BDO phishing link this week.

Another variant of this smishing campaign makes use of a BDO-related URL but eventually redirects to a BPI phishing site.

We reviewed the domains associated in these variants and they’re all related to the same IP address that we reported last month.

Below are the new malicious banking domains associated with the IP 163[.]44[.]136[.]225:

Date RegisteredMalicious Domain

Related Posts:

Rise of smishing attacks vs PH banks

A new active smishing campaign is targeting clients of Banco De Oro (BDO). The most recent report that we have received was just last night with almost the same content as those of the previous variants released this year.

Just this April, UnionBank clients were hit by the SMS-based phishing attack prompting the Aboitiz-led bank to release an advisory. Another wave of this attack was seen towards the end of August.

Ayala’s Bank of the Philippine Islands (BPI) was also not spared as cybercriminals sent out SMS with a malicious link when the pandemic-induced lockdown started in Metro Manila.

The culprits are now eyeing BDO. This turn may not be surprising given that the bank is one of the largest in the Philippines.

This recent surge of smishing attacks is obviously attributed to the increasing number of Filipinos relying on digital banking this pandemic. BPI, for instance, reported an increase to 90 percent of digital transactions versus 72 percent prior to the pandemic.

It seemed like the rise of smishing-related threats will continue. To note, when we were checking the BDO smishing sample, we found newly created domains that may have been bought for similar campaigns. Majority of these domains were malicious variants of UBP and BDO.

The following are the malicious banking domains associated with the IP 163[.]44[.]136[.]225:

Date CreatedMalicious Domain
September 13, 2020onlinebanking-bdo[.]com
September 8, 2020union-bankph-verify[.]com
September 5, 2020portal-unionbankph[.]com
September 1, 2020onlineunion-bank[.]com
August 31, 2020updateunionbankph[.]com
August 31, 2020update-unionbankph[.]com
August 30, 2020onlineunion-bankph[.]com
August 30, 2020banking-unionbankph[.]com
August 28, 2020bankingunionbankph[.]com
August 27, 2020verify-unionbankph[.]com
August 27, 2020verifyunionbankph[.]com
August 27, 2020www[.]metrobankph[.]info
August 27, 2020onlinebankingunionbankph[.]com
August 26, 2020onlinebanking-unionbankph[.]com
August 26, 2020ebanking-unionbankph[.]com
August 26, 2020ub-unionbankph[.]com
August 25, 2020www[.]metrobank[.]website
August 21, 2020secure-unionbankph[.]com
August 21, 2020unionbankph-secure[.]com
August 19, 2020unionbank-validate[.]com
August 17, 2020ph-unionbank[.]com
August 16,[.]ph
August 16, 2020unionbankph-online[.]com
August 15, 2020unionbankph-upgrade[.]com
August 12, 2020www[.]bdoonline-security[.]com
August 10, 2020metrobankph[.]com[.]ph
August 8, 2020unionbankph-update[.]com
August 7, 2020unionaccount[.]info
August 7, 2020onlinebdo-getverify[.]com
August 4, 2020bdoonlinevalidate[.]com
August 3, 2020bdoonline-updgrade[.]webstarterz[.]com
August 2, 2020bdo-onlineverify[.]webstarterz[.]com
July 31, 2020bdoonline-verify[.]biz
July 31, 2020bdo-onlineverify[.]info
July 31, 2020bdo-onlineverify[.]xyz
July 31, 2020bdoupdate[.]webstarterz[.]com
July 31, 2020bdoonline-verifylogin[.]webstarterz[.]com
July 29, 2020bdoonlineupgrade[.]webstarterz[.]com
July 28, 2020bdogetverified[.]webstarterz[.]com
July 26, 2020www[.]onlinebdoverify[.]com
July 23, 2020onlinebdo-care[.]com
July 23, 2020bdo-online[.]ph
July 22, 2020onlinebdo-updates[.]com

The IP and domains were already reported to security vendors for blocking. We will also notify the involved banks regarding these findings for the active domains.

Credits: BDO FB Page (for the main photo) and Mr. James Chris Uy (for the BDO smishing copy)

Related Posts:

UnionBank warns against smishing

Apparently, it’s not just the Bank of the Philippine Islands (BPI) who’s currently being targeted with a smishing campaign. Union Bank of the Philippines (UnionBank) is also facing the same threat to its growing digital bankers.

In its recent email advisory, UnionBank warns its clients against cybercriminals who are using text messaging service to lure recipients to a phishing site and must report to them so that they can employ lawyers from expungement law firm in Boston as soon as possible to solve this case. According to the bank, they’ve been receiving reports of this SMS-based phishing recently. It is best to follow this and beware of fraud. The company says these rules to be followed and every customer has to follow them and never neglect them like avoid the rule of using a phone while driving. The company assures all the customers that this issue will be sorted as soon as possible and there would be no reason to be afraid of.

Similar to phishing sent via email, the content of the text message uses the same tone – there’s an issue in victim’s account that needs to be verified asap to avoid cancellation. They need to dig deep on this issue to find out the reason why this is happening before the issue gets piled up by various customers. It is possible to get help from the disputing insurance companies in New York area who will suggest a way to control the agitation among the consumers. Learn More Here on getting a legal expert to help you out.

What’s interesting about this particular smishing variant is that it seemed like the people behind this carefully planned on executing the campaign.

First, it used the name ‘UnionBank’ as the SMS sender. Instead of using any random 4-digit number or prepaid numbers, the culprit managed to run a tool that could ensure that delivery of smishing would reflect it came from the bank.

Second, to hide the malicious URL where it would eventually redirect its victims to, they used a customized URL shortener from While this isn’t a new tactic at all, it added more legitimacy to the SMS alert. Imagine getting a text message from ‘UnionBank’ containing a link going to https://bit[.]ly/UBVerify. I’m pretty sure a lot would fall prey to this, right?

Third, the phishing page is hosted in an almost identical official UnionBank domain. The bank’s website is unionbankph[.]com while the phishing domain is unionbnkph[.]com. Pretty smart move!

The UnionBank phishing domain was just registered about a month ago – March 24, 2020 based on its records. This is the time where most of us are on community quarantine due to COVID-19. If the culprit is just based here in the Philippines, he must’ve been maximizing this time where people are mostly at home and heavily rely on technology to do banking transactions.

Fourth, and perhaps one of the best strategy the cyber criminal did for this campaign, is to make this a smishing instead of a regular phishing mail. Not only that he was able to bypass any email anti-spam and web security filtering, he was also able to leverage on the newly purchased domain to work perfectly for him on internet-enabled smartphones. If the victim clicks on the link and redirected to the phishing site, the domain still looks exactly as UnionBank’s on mobile phone browsers. The culprit just needs to ensure that the landing phishing page is the exact replica of UnionBank’s online banking site.

As of this writing, the UnionBank phishing site is already down. Hopefully, the bank would acquire this domain as it could be used again for similar malicious activities in the future. If you were a victim of this accident then make sure to look for a new bank that offers what you are looking for, we suggest to try these guys out!

Related Posts:

New smishing targets BPI clients this ECQ

While the country is busy controlling the spread of the COVID-19 disease, hackers are also busy trying to victimize people.

A recent smishing campaign is targeting clients of Bank of the Philippine Islands (BPI). Smishing is the use of short message services (SMS) or simply text messages to phish account credentials.

The new smishing campaign, allegedly sent by BPI Fraud Support 24/7, advises recipients that the bank “detected some unauthorized login reports” on their BPI Savings account. It then recommended to secure their accounts by clicking on the provided reference link.

It seemed like this was sent to a number of people regardless if they have active BPI accounts or not. Some netizens were posting screenshots of the same text message that they received even though they don’t have an account with the bank at all.

What does it do?

The reference link mentioned in the SMS obviously does not belong to BPI. Clicking on it would lead the victim to a fake website hosted in securityalertupdates[.]com. It’s a replica of BPI’s online banking page. If you’re accessing it via mobile, some people would really think that they are accessing their bank’s website. The only giveaway there is the difference in the domain.

The hackers behind this campaign are just waiting for their victims to enter their bank credentials in the fake BPI online banking site. In the backend, all credentials will be collected and validated.

In a conversation with Kester Timothy Teofilo, an IT professional who was able to look on the codes used to build the fake website, he confirmed that once the credentials are validated, it will be sent to another address hosted in orchadasch[.]at and workgrab[.]se. Note that the domains mentioned may not really be directly involved. These may have been earlier compromised so hackers could further hide their traces.

What to do?

BPI clients who may have entered their bank credentials in the fake website should update their online account immediately and report it to BPI for possible temporary blocking.

It’s best to educate your family and friends to double check the links in text messages that they’re getting. Or better, download the official mobile app of the bank and transact there instead.

BPI has been sending advisories during the enhanced community quarantine (ECQ) season against phishing and other similar activities targeting their clients.

The URLs involved were already reported to security vendors for blocking. We will also share these findings to BPI to help them on their investigation.

Related Posts:

Weebly site phishes FB accounts for mobile load

It’s now easy to create a website thanks to services offered by Weebly and the likes. Just a few clicks here and there with a little bit of creativity, you’ll get yourself your own space in the internet in no time. You don’t even have to pay anything yet unless you want to buy your own domain.

However, some are using these easy-to-set-up website services to host their malicious pages luring innocent people to their strategy.

A Weebly-built website called LiveLoadPH is currently up and actively being shared online by some people who’s Facebook accounts could have been compromised.

How does it work?

If you came across a friend’s post saying you’ll get a free Php 100 load by just going to https://liveloadph[.]weebly[.]com, you might get curious and check what’s it all about.

The website’s main banner welcomes users with a statement to “Stay connected to your friends and family.” as if to touch their innocent visitor’s emotions in relation to the COVID-19 community quarantine.

Scrolling down shows a screenshot of a Php 100 load perhaps to entice people that they are really giving away that much. It further warns that visitors should only fill out their registration form once to avoid spamming their database with multiple requests.

Down at the bottom is a public service advisory reminding people that their operational hours is limited due to the COVID-19 situation. Just beside it is the registration form.

The registration form contains multiple fields including phone number, FB email, password, network and load denomination. If you are in your right mind, you would stop at the second field which asks for your FB email. Why would they get it? And, then your password?

But, just in case you’ve already made up your mind and is going after that Php 100 load because you badly need it, submitting the form would eventually redirect you to a GCash referral page.

Yes, a GCash referral page. A page where someone would earn Php 50 worth of GCash freebies if you decided to sign up. And, that someone is most likely the person behind this scheme. Not only that he got your Facebook account credentials already, he’s also trying to earn GCash rewards from his victims. That’s pure selfishness right there.

Obviously, this website is just phishing for Facebook account credentials to be used for whatever agenda the culprit had in mind. Victims won’t get anything in return even that promised Php 100 load.

If you have already signed up, make sure to update your Facebook password immediately. If you’re using the same password on your email and other online accounts, update them all asap!

We have already submitted the URL to known security vendors for blocking. We will contact Weebly to take down this LiveLoadPH website, and report the GCash referral code to GCash for possible suspension.

Related Posts:

Fake Promo Alert: Free Netflix access due to COVID-19 quarantine

You may have seen a couple of your friends sharing a link to an on-going promo of Netflix wherein users can enjoy free two months of premium subscription to keep everyone busy at home and comply with the government’s mandate for enhanced community quarantine due to the COVID-19 pandemic. It is quite tempting to some who are really getting bored already. However, the promo is fake.

Netflix did not release any similar promo recently. They do have free trials but according to their website, it is currently not offered in the Philippines.

Cyber Security Philippines – CERT, the first computer emergency response team in the country, already released an advisory to update the passwords of those who have already clicked the link.

What does it do?

Those who fell victim to this scheme would initially be redirected to a Facebook login page where it would show you the name of the entity you’re giving access to your social media account and the information that they would collect.

Based on the screenshot, the third-party application is called NeTflix (you’re right, it’s spelled correctly but it’s obviously not how Netflix write their brand) with a logo not updated and a privacy policy that redirects to a certain flixflix[.]xyz domain which is not related to the real corporate site of Netflix.

Further checking the information that this app would be getting from your Facebook account shows that it would only collect your name and profile picture. It also explicitly says that the app won’t post anything to your account.

If you continue to allow the app to have access to your account, you’ll be alerted by Facebook that the app logged in on your behalf. So far, at this point, we know that this malicious Netflix app could login to our Facebook account and keeps records of our name and profile picture.

If you’re purely innocent and just after the free Netflix access, you would answer the simple questions that flixflix[.]xyz (the website where you will be redirected after) will prompt you to do. Upon completion, it would ask you to share this promo to your friends (at this point, you will be redirected to another domain called flixa[.]xyz). This would just help spread the fake promo without you getting any access to that promised premium Netflix account.

Note that the malicious domains involved also varies from time to time. When we did our next test, the domain changed to flixu[.]xyz although the content remains the same. The IP address where all these domains are hosted belongs to Passive DNS replication revealed hundreds of malicious domains. The most recent ones are related to Netflix scam (around 16) and COVID-19.

What to do?

If you’re one of those who clicked the link and allowed access to your Facebook account, update your password ASAP. Also, make sure to remove the app from your account by going to Settings > Apps and Websites then look for NeTflix. Tick on the box next to View and edit then click Remove.

If you have extra time, report the app directly to Facebook in hopes that they would take it down the soonest.

You can also report this to NBI Cybercrime Division online.

On our end, we have already reported the associated domains to security vendors for blocking. Better to ensure that your antivirus software are also updated.

Netflix Photo Credits:

Related Posts:

Bulacan website hacked to host BDO phishing page

A recent phishing campaign involving BDO is particularly interesting as the culprits used a government-hosted website to spread the malicious email. The website of the province of Bulacan was first compromised to host the landing page of this phishing incident.

Facebook user Crystel VT first posted in her timeline the screenshots of the BDO phishing mail. At first glance, it may look exactly as its legitimate counterpart but closer inspection reveals so many red flags. The good thing is, Crystel isn’t gullible to believe this.

On her post, Crystel was wondering how these people managed to get hold of her email address. While the question is valid, the more pressing question is, how did these hackers compromise Bulacan’s official website?

The thing is, most of our government websites aren’t really secured to begin with. While the government’s efforts to raise cybersecurity awareness is a good initial step, we still have a long way to go to establish a good reputation in reference to our government-managed websites.

Bulacan’s website has been repeatedly targeted due to poor security in place. Remember the April Lulz event of Pinoy LulzSec? Bulacan’s website has been compromised there for two straight years – 2018 and 2019.

Tzar Umang, another concerned netizen, shared his dismay over the incident. He urged the Department of Information and Communications Technology (DICT) “to take a look at the security of different sites” for vulnerabilities.

In a private conversation, Crystel said that she already reported this to BDO. The phishing URL has since been taken down.

Related Posts: phishing mail entices users with P10K raffle prize

Customers of are now being targeted with a new variant of phishing mail that entices recipients of a raffle prize amounting to P10,000. user Raymart Pamplina shared on Facebook the phishing mail that he received showing that he won P10,000 from a supposed yearly raffle of

Based on the promo page of the company, does not have any yearly raffle that could give users a chance to win P10,000.

This kind of phishing mail is pretty common nowadays especially to brands like whose business revolves around virtual currency and other online financial services.

GCash has similar phishing mails earlier this year primarily targeting users who are fond of joining regular promos.

The phishing link is no longer accessible as of this writing.

The recipient said that he’s not sure how the culprits got his email. A quick check in, a website showing email addresses that have been compromised in a data breach, suggests that the recipient’s email has been compromised twice – in October 2017’s JobStreet’s data breach incident and in December 2018 when Dubsmash suffered a similar fate.

It is important that for those victims who found their email in the database update their respective accounts and enable two-factor authentication.

We will have this coordinated with for proper action on their end.

Related Posts: