In these two days I had 3 mails from BankOfAmerica (no-reply@google.com). The body of the mails is:

We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us.

If this is not completed by September 24, 2007, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner.

To confirm your Online Banking records click on the following link:
http://<<<censured>>>/www.bankofamerica.com/sslencrypt218bit/online_banking/index.php

Thank you for your patience in this matter.
Bank of America Customer Service

Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

© 2007 Bank of America Corporation. All rights reserved

Phishing! In the last days there was a large amount of phishing attacks against Bank Of America. There are some kinds of different mails but the result is always the same, they want to steal your account! The 3 mails I got are almost identical, the only difference is the date. I got two mails with “September 22″ and one with “September 24″. Looking on the net there is an example with “September 17″, I fear they’ll send some more in the future. Clicking on the link putted inside the mail you’ll be redirected to this page:

BankOfAmerica

Nothing to say, it looks like an original login page. English is not my native language but I think it’s well translated too. That’s why so many people are falling into this fraud.

What’s behind this page? When I don’t know what’s behind a link I start looking at the page source code. The most interesting code resides inside scripts and lately I’m using Malzilla for this purpose, but there are so many other ways.
Anyway, the link inserted in the mail starts with an hex number and seems like Malzilla is not able to recognize this kind of address. To pass over this problem you only have to convert the address.

A little example: suppose to have a link like http://0×480ECD63 , it will be resolved in http://72.14.205.99/ or better www.google.it for me. The conversion from hexadecimal to decimal is made in this way:
48h = 72
0Eh = 14
CDh = 205
63h = 99

There’s a lot of Javascript in the background, almost all the code is used to check if the user’s details are well formatted. When the user submit a well formatted combination the information are caught, nothing more.

It’s hard to believe but people are falling into this trick again and again……