Bank UBI Fraud – Phishing Domain


The following blog entry is the result of a research accomplished by Me and Emdel from Playhack that received the mail and with me wrote the paper.

The scam email is the following:


GENTILE CLIENTE DI _BANCA UBI,_ Il Servizio Tecnico di Banca UBI Online sta eseguendo un aggiornamento programmato del software bancario al fine di migliorare la qualita dei servizi bancari. Le chiediamo di avviare la procedura di conferma dei dati del Cliente. A questo scopo, La preghiamo di cliccare sul link che Lei trovera alla fine di questo messaggio. CLICCA QUI PER CONFERMARE [1] Ci scusiamo per ogni eventuale disturbo, e La ringraziamo per la collaborazione. &copy Gruppo UBI Banca 2008 Links:


Which contains the following link:

It is clearly a phising site this url: In fact there is not a secure connection so loved by the banks, and the url is mainly a ip address. Looking at the browser bar we can see a redirection:

This last URL give us the following reply:

HTTP/1.1 302 Found

Date: Sun, 28 Sep 2008 12:53:17 GMT

Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c

X-Powered-By: PHP/5.2.0-8+etch10


Content-Length: 0

Connection: close

Content-Type: text/html; charset=WINDOWS-1251


<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//IT” “”&gt;

<html><head><title>Gruppo UBI Banca – Qui UBI – LOGIN</title>

<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>

<meta http-equiv=”CONTENT-LANGUAGE” content=”Italian”>

<meta http-equiv=”Expires” content=”Dom, 01 Gen 2006 11:56:50 GMT”>

<meta http-equiv=”Pragma” content=”no-cache”>

<meta http-equiv=”Cache-Control” content=”no-cache”>

<meta name=”keywords” content=””>

<meta name=”description” content=”Build Fase 4.40.00 – 30.01.2008 – Blocchi CI”>

<link rel=”stylesheet” href=”login.do_files/bpu.css” type=”text/css”>

<link rel=”shortcut icon” href=”“>

Here Starts the fraud:

<h2 title=”Benvenuto in Qui UBI Home Banking”>

<span>Benvenuto in Qui UBI Home Banking!<br>

Qui UBI รจ un mondo di servizi di Internet Banking che ti permette di avere la tua banca sempre a portata di mano.



CreditCard Number:

<form name=”LoginForm” method=”post” action=”” onSubmit=”javascript:checkAndSubmitLogin();” style=”display: inline;”>

<div class=”txt-form-home”>Codice cliente

<label for=”field1″ style=”display: none;”>Codice cliente</label>


<input name=”codice” tabindex=”1″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field1″ class=”campiform szInpHome” type=”text”>


<div class=”txt-form-home”>Codice sicurezza (password)

<label for=”field2″ style=”display: none;”>Codice sicurezza</label></div>

<input name=”password” tabindex=”2″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field2″ class=”campiform szInpHome” type=”password“>



<div class=”txt-form-home”>PIN Dispositivo

<label for=”label” style=”display: none;”>Codice sicurezza</label></div><input name=”pin” tabindex=”2″ value=”” onKeyPress=”hideErrors();if (event.keyCode==13) {entra(); return false;}” id=”field3″ class=”campiform szInpHome” type=”password“>

If we compile correctly the form the Credentials are Stolen and  victim redirected to the True UBI Bank Website.

WHOIS Information

Now it is time to dive into whois information to understand the real origin of this weird website:

Query sull’IP
Name Resolution:

inetnum: –
netname: Neo-CNT
descr: BRAS E-320-29 DHCP-pool
descr: Russian Central Telegraph, Moscow
country: RU
admin-c: VYK9-RIPE
admin-c: AAP43-RIPE
tech-c: VYK9-RIPE
mnt-by: CNT-MNT
source: RIPE # Filtered

person: Victor Y. Kovalenko
address: Central Telegraph
address: 7, Tverskaya st.
address: 103375, Moscow, Russia
remarks: phone: +7 095 2924959
phone: +7 495 2924959
nic-hdl: VYK9-RIPE
remarks: Network Administrator
source: RIPE # Filtered
remarks: modified for Russian phone area changes

person: Alexey A Petrov
address: 7, Tverskaya st.,
address: Central Telegraph, Moscow,
address: 125375, Russia
remarks: phone: +7 095 504 4449
phone: +7 495 504 4449
remarks: fax-no: +7 095 201 9319
fax-no: +7 495 201 9319
nic-hdl: AAP43-RIPE
remarks: Network Administrator
source: RIPE # Filtered
remarks: modified for Russian phone area changes

descr: CNT-network BLOCK
origin: AS8615
mnt-by: CNT-MNT
source: RIPE # Filtered

It is from Russia! This year a lot of attacks, frauds and other kind of illicit actions were born in ex URSS and sometimes there is the RBN shadow.

Summing up the url steps:

An image can clarify the main fake features of the Russian website:

Written by Giuseppe ‘Evilcry’ Bonfa’ and Emdel

2 Responses to Bank UBI Fraud – Phishing Domain

  1. emdel says:

    Good worrk bro ๐Ÿ™‚

  2. Sa3Q says:

    Thank you man you are great

    walk and i will back with you

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: