Banca Popolare di Milano Fraud

May 7, 2009

Hi,

here a recent attempt of fraud, this morning I’ve received the following mail:

—————

Subject: Ottimizzazione Piattaforma Tecnica Populare di Milano Gentile Cliente, Desiderosi di evitare il possibili tentativi di frode on-line, Banca Populare di Milano, e in corso per ottimizzare la piattaforma tecnica di servizio Banca Populare Online tra il 5 maggio 2009 al 10 maggio 2009. Per evitare eventuali perdite di dati si prega di compilare il modulo ” Forma di aggiornamento dati di contatto in relazione alla Banca ” che si trova sul nostro sito web o in allegato alla presente e-mail. Ci scusiamo per gli eventuali disagi causati. http://www.bpmbanking.it.servizibmp.com/pub/xol/homePriv.do.php?tabId=nav_pub_xol_home Grazie per la comprensione, Populare di Milano Sanpaolo Online _____________________________________________________________________________________ Frodi online ANNUALE FARE MIGLIAIA DI VITTIME – Non essere uno di loro! Banca Popolare di Milano Societа Cooperativa a r.l. – P.IVA 00715120150 – Gruppo Bipiemme

————-

First of all the email presents a recurrent error, the term ‘populare’ that seems inspired by spanish/brazilian tongue.

The second suspicious thing is the URL: http://www.bpmbanking.it.servizibmp.com/pub/xol/homePriv.do.php?tabId=nav_pub_xol_home

servizibmp.com sounds strange, so let’s inspect this domain..

Registry Data
ICANN Registrar:     MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Created:     2009-05-07
Expires:     2010-05-07
Updated:     2009-05-07
Registrar Status:     clientTransferProhibited
Name Server:     YNS1.YAHOO.COM (has 2,399,082 domains)
Name Server:     YNS2.YAHOO.COM (has 2,399,082 domains)
Whois Server:     whois.melbourneit.comServer Data
IP Address:     216.39.62.190 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location     United States – California – Sunnyvale – Altavista Company
Response Code:     200
Domain Status:     Registered And Active Website

As you can understand an Italian Banking Service that is located in California – Sunnyvale and powered by Altavista Company it’s REALLY strange 🙂

the final demostration that this is a fraud comes out the inspection of real server of bpm,www.bpmbanking.it that is placed in Italy.

By browsing http://servizibmp.com we are suddenly prompted into a directory list that contains the following entries:

pub/

tmp/

in pub we have:

/pub/xol/

complete.php

go.php

homePriv.do.php

inserti.php

These are fake php pages used to catch victims informations.

See you to the next post 🙂