A new active smishing campaign is targeting clients of Banco De Oro (BDO). The most recent report that we have received was just last night with almost the same content as those of the previous variants released this year.

Just this April, UnionBank clients were hit by the SMS-based phishing attack prompting the Aboitiz-led bank to release an advisory. Another wave of this attack was seen towards the end of August.

Ayala’s Bank of the Philippine Islands (BPI) was also not spared as cybercriminals sent out SMS with a malicious link when the pandemic-induced lockdown started in Metro Manila.

The culprits are now eyeing BDO. This turn may not be surprising given that the bank is one of the largest in the Philippines.

This recent surge of smishing attacks is obviously attributed to the increasing number of Filipinos relying on digital banking this pandemic. BPI, for instance, reported an increase to 90 percent of digital transactions versus 72 percent prior to the pandemic.

It seemed like the rise of smishing-related threats will continue. To note, when we were checking the BDO smishing sample, we found newly created domains that may have been bought for similar campaigns. Majority of these domains were malicious variants of UBP and BDO.

The following are the malicious banking domains associated with the IP 163[.]44[.]136[.]225:

Date CreatedMalicious Domain
September 13, 2020onlinebanking-bdo[.]com
September 8, 2020union-bankph-verify[.]com
September 5, 2020portal-unionbankph[.]com
September 1, 2020onlineunion-bank[.]com
August 31, 2020updateunionbankph[.]com
August 31, 2020update-unionbankph[.]com
August 30, 2020onlineunion-bankph[.]com
August 30, 2020banking-unionbankph[.]com
August 28, 2020bankingunionbankph[.]com
August 27, 2020verify-unionbankph[.]com
August 27, 2020verifyunionbankph[.]com
August 27, 2020www[.]metrobankph[.]info
August 27, 2020onlinebankingunionbankph[.]com
August 26, 2020onlinebanking-unionbankph[.]com
August 26, 2020ebanking-unionbankph[.]com
August 26, 2020ub-unionbankph[.]com
August 25, 2020www[.]metrobank[.]website
August 21, 2020secure-unionbankph[.]com
August 21, 2020unionbankph-secure[.]com
August 19, 2020unionbank-validate[.]com
August 17, 2020ph-unionbank[.]com
August 16, 2020unionbank-online.com[.]ph
August 16, 2020unionbankph-online[.]com
August 15, 2020unionbankph-upgrade[.]com
August 12, 2020www[.]bdoonline-security[.]com
August 10, 2020metrobankph[.]com[.]ph
August 8, 2020unionbankph-update[.]com
August 7, 2020unionaccount[.]info
August 7, 2020onlinebdo-getverify[.]com
August 4, 2020bdoonlinevalidate[.]com
August 3, 2020bdoonline-updgrade[.]webstarterz[.]com
August 2, 2020bdo-onlineverify[.]webstarterz[.]com
July 31, 2020bdoonline-verify[.]biz
July 31, 2020bdo-onlineverify[.]info
July 31, 2020bdo-onlineverify[.]xyz
July 31, 2020bdoupdate[.]webstarterz[.]com
July 31, 2020bdoonline-verifylogin[.]webstarterz[.]com
July 29, 2020bdoonlineupgrade[.]webstarterz[.]com
July 28, 2020bdogetverified[.]webstarterz[.]com
July 26, 2020www[.]onlinebdoverify[.]com
July 23, 2020onlinebdo-care[.]com
July 23, 2020bdo-online[.]ph
July 22, 2020onlinebdo-updates[.]com

The IP and domains were already reported to security vendors for blocking. We will also notify the involved banks regarding these findings for the active domains.

Credits: BDO FB Page (for the main photo) and Mr. James Chris Uy (for the BDO smishing copy)

Fjordan Allego
Follow me

Related Posts:

By Fjordan Allego

Fjordan Allego aka Fjordz is an IT security practitioner in the Philippines. He maintains a couple of blogs where he shares his views on various topics that he finds interesting. A self-confessed introvert who's mostly active in social media, Fjordz also loves to travel and explore the wonders of the world.

2 thoughts on “Rise of smishing attacks vs PH banks”
  1. it’s alarming how many phishing scams have risen since this pandemic began. It’s also infuriating how people can take advantage of others! It’s always good to be careful when doing online bank transactions as you just don’t know if your hard earned money is being targeted and stolen. Thanks for sharing this!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.