A week after we have spotted the resurface of BPI phishing emails, a new variant came next with the subject “Automated System Verification [ BPI ]”. The culprits used the same mail template but with a slightly different content.

The newer variant asks recipients to verify their personal account information. As if threatening the bank’s account holders, failure to provide adequate or sufficient information will force them to leave their accounts temporarily unavailable.

The validation link found in the email has a landing page that used an almost perfect imitation of BPI Express Online. The hackers replaced the wording on top of the user credentials with “Update Personal Informations.” to lure their victims in entering their BPI Express Online user IDs.

The domain where the BPI phishing page is hosted is associated to a legit financial website that appeared to have been compromised. This technique is quite similar to our previously reported phishing emails and that hackers may have been doing this primarily to bypass any web filtering solutions that check negative scores of websites against their databases. As of this writing, only Google Safebrowsing currently tags the phishing link as it should be. The malicious page is also still up and running. We have since requested some of the security vendors to block it accordingly. We have also contacted the compromised site about this incident.

Inspecting the mail header reveals the source IP address to be someone using a PLDT line. It’s not surprising that the hacker is just here in the Philippines collecting the data of those victims who have entered their credentials on the phishing page. Cisco Talos gave a poor email reputation for this IP along with a blacklisting from Abuseat and Spamhaus.

For BPI, the bank continues to drive information security campaigns against attacks that target their clients. A sample awareness that the bank initiated was an infographic material shared on their Facebook page back in 2017.

While this phishing campaign is definitely not new to us, we’ll never run out of advising everyone to always keep an eye on any possible hacking attempts to their accounts. In this day and age, we should all be aware that these hackers won’t stop from abusing their skills because there are still people out there who are taking their baits.


Fjordan Allego
Follow me

Related Posts:

By Fjordan Allego

Fjordan Allego aka Fjordz is an IT security practitioner in the Philippines. He maintains a couple of blogs where he shares his views on various topics that he finds interesting. A self-confessed introvert who's mostly active in social media, Fjordz also loves to travel and explore the wonders of the world.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.