While the country is busy controlling the spread of the COVID-19 disease, hackers are also busy trying to victimize people.

A recent smishing campaign is targeting clients of Bank of the Philippine Islands (BPI). Smishing is the use of short message services (SMS) or simply text messages to phish account credentials.

The new smishing campaign, allegedly sent by BPI Fraud Support 24/7, advises recipients that the bank “detected some unauthorized login reports” on their BPI Savings account. It then recommended to secure their accounts by clicking on the provided reference link.

It seemed like this was sent to a number of people regardless if they have active BPI accounts or not. Some netizens were posting screenshots of the same text message that they received even though they don’t have an account with the bank at all.

What does it do?

The reference link mentioned in the SMS obviously does not belong to BPI. Clicking on it would lead the victim to a fake website hosted in securityalertupdates[.]com. It’s a replica of BPI’s online banking page. If you’re accessing it via mobile, some people would really think that they are accessing their bank’s website. The only giveaway there is the difference in the domain.

The hackers behind this campaign are just waiting for their victims to enter their bank credentials in the fake BPI online banking site. In the backend, all credentials will be collected and validated.

In a conversation with Kester Timothy Teofilo, an IT professional who was able to look on the codes used to build the fake website, he confirmed that once the credentials are validated, it will be sent to another address hosted in orchadasch[.]at and workgrab[.]se. Note that the domains mentioned may not really be directly involved. These may have been earlier compromised so hackers could further hide their traces.

What to do?

BPI clients who may have entered their bank credentials in the fake website should update their online account immediately and report it to BPI for possible temporary blocking.

It’s best to educate your family and friends to double check the links in text messages that they’re getting. Or better, download the official mobile app of the bank and transact there instead.

BPI has been sending advisories during the enhanced community quarantine (ECQ) season against phishing and other similar activities targeting their clients.

The URLs involved were already reported to security vendors for blocking. We will also share these findings to BPI to help them on their investigation.

Fjordan Allego
Follow me

Related Posts:

By Fjordan Allego

Fjordan Allego aka Fjordz is an IT security practitioner in the Philippines. He maintains a couple of blogs where he shares his views on various topics that he finds interesting. A self-confessed introvert who's mostly active in social media, Fjordz also loves to travel and explore the wonders of the world.

One thought on “New smishing targets BPI clients this ECQ”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.