Wednesday, February 07, 2007

Equitable PCI Bank Phishing

I received this email toady purportedly from Equitable-PCI Bank informing me of unsuccesful login attempts on my online banking account and thus requiring me to review my account activity for any anomaly

the email is not directly addressed to me but to a resigned co-employees. I was only BCCed. The link to the FastNet site will take you not to the legitimate site i.e. but rather to this phishing site.

Note that entering my account number and PIN, the miscreant will then be able to get and use my account information for whatever evil purposes-- that is if I have an Equitable PCI Bank account!

Digging deeper into the email headers and page source, I found these details:

1. Phishing website copied from Fastnet using HTTRACK available here
2. Used FROM email address: "Equitable PCI BANK"
3. Sent to a random email typical of phishers
4. Return Path:
5. SMTP server used:
6. IP address of email sender: traced to the Czech Republic
netname: GBCOMP-NET
descr: NoRoNet
descr: Municipal Network
descr: GB-COMP v.o.s.
descr: Nova Role
country: CZ

7. Note both IP address may be routed through Czech Republic IP address and does not necessarily come from there.
8. Phishing site is using domain name HKDNR WHOIS site.
Registered on February 6, 2007 up to February 6, 2008
Registrant Name: SADA LOPA
Country: US
Account Name: HK1806283T

9. Server hosted in using there IP addresses taken from authoritative DNS server

I could have dug deeper into this one but I know I'll be facing a blank wall. I'm sure the guys at Equitable PCI Bank are already aware of this.

Note that phishing is an attack against the account holder and not directly at the bank itself. The only way to combat this is to educate users on how to discern legitimate sites from fake ones. There are, however, various ways to guard against phishing, one of which is strong 2nd factor authentication already being studied by various local banks.


  1. hi,

    got your email thru phphoto, i also got these emails from ebay, citibank... but when you click thre link, the status bar shows the link address of the link you're clicking, meaning to say that this site is not the actual site you're going to... im using thunderbird email program and when you get to read the message, the title has a notification that something "this is a clone or spam..."
    thunderbird is free anyway

  2. oh great!
    i was just checking my emails and i got one too! :)
    i dont have any account with epci

  3. PCIB, Ebay, Amazon, Paypal. You name it, these scammers have all of these. I think a massive campaign like in bigger print ads and TV ads is needed to educate ordinary consumers. As far as I know, only "computer techie" like us can easily detect all of these scam things. those plain email users are susceptible to this attack and prone to be easily deceived...
    Well, thanx for sharing. That surely helps...