"Westpac Bank Detected a Login Attempt from an Unrecognized Device" Phishing Email Scam

The Westpac Bank Phishing Scam

Westpac [no-reply41356 @hlc1.westpac.com.au]

This is an automated message to notify you that we detected a login attempt with a valid password to your account from an unrecognized device yesterday @

Location: NICARAGUA, MANAGUA,IP=173.210.53.78 Latitude, Longitude: 42.26353, -75.2059 Connection through: TELEMATIX/ENITEL Local Time: 2013 08:29 PM (UTC -06:00) IDD Code: 505 Weather Station: MANAGUA (NUXX0004) Usage Type: ISP

Was this you? If so, you can disregard the rest of this email. If this wasn't you kindly follow the account review link:

http://login.westpac.com .au.ia-6804.serv-91. webhop.info/an/index .php?r=3965418253

Sincerely,
Westpac Bank Customer Care
2013 Westpac Financial Corporation. All Rights reserved
E-mail ID: 70409795

This email message claims that someone signed into the recipient's account from a particular location and the recipient should click the link within if they were not the one who signed in from that location. This is a trick to convince the recipient into clicking on the link, which will take him/her to a phishing or fake Westpac sign in or login page.

If the recipient enters his/her Westpac username and password on this bogus or fraudulent website, it will be sent to the scammers behind this fraudulent email message and website. With the recipient’s username and password, these scammers will be able to gain access to that person’s Westpac accounts.

For the link in the email address, if you look at it, you will notice that it ends with "login.westpac.com.au". Now, a lot of persons will look at this and think the link goes to the Westpac website located at http://westpac.com.au, but it does not. The link actually goes to the website "webhop.info".

What the scammers have done is to create subdomain names at the webhop.info website with the name "login.westpac.com.au". The subdomains are the names after the dots (".") in the website name, moving from the right to the left.

Here is an example:

If I create the subdomains "login.westpac.com.au" at onlinethreatalerts.com, this is how the website address would look:
http://login.westpac.com.au. onlinethreatalerts.com

Although the website has westpac.com in it, it does go there; instead, it will go to onlinethreatalerts.com. When looking at a domain or website name, always read it from right to left.

This type of subdomain creating is called "Domain Cloaking" and cybercriminals use this technique to trick persons into believing that they are on a legitimate website.

If you were tricked by this email message into clicking on the phishing link and have entered your Westpac username and password on the phishing web page, please change your Westpac password now or contact Westpac immediately.

Never click on a link to login or sign into any of your online accounts, instead, type the name of the website address into your web browser address bar. Once you are on the homepage of the website, you may navigate to the login or sign-in page.

Westpac bank says: "If you happen to get these emails in future did you know you can forward to hoax@westpac.com.au so our security team can investigate the origin and hopefully shut these fraudsters down."

Check the comment section for additional information, or share what you know or ask a question about this article, by clicking the 'View or Write Comment' button below.

Note: Some of the information in samples on this website may have been impersonated or spoofed.