Can it be a scam if a shortcut points to https://xxxx.bankofamerica.com/xxxx

rberke
rberke used Ask the Experts™
on
Yesterday I got an interesting SPAM that looked very much like the scam you see here.

I right clicked on the shortcut and copied it to the clipboard then pasted it into chrome on my test machine.  It takes me to what appears to be a legit bankofamerica website.  I have attached a screenshot.  I did not enter my passwords, but it sure looks 100% legit to me.

Here is the url:  https:/ / billpay-ui.bankofamerica.com/ imm/ PaymentCenter/ Index/ 8404?csbi=644077671&b0=20190916192841396056
I have added a space after each / to make it safe.


I've been told that some legitimate looking URL's will automatically redirect me to a bogus website, but how does that work? If the domain controller does the redirecting wouldn't bankofamerica.com avoid a bogus address? Or does the redirecting occur on the routers that the packets hop through?

In other words how can this particular link get me in trouble?
ee-bankofamerica.png
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AlanConsultant

Commented:
In general, I'd say 'No - It is legitimate'.

However, there is certainly the possibility that BankOfAmerica (never heard of them, but I'll assume they are a legitimate bank) have, themselves, been hacked, and a dodgy sub-domain has been setup (for example).

Hope that helps,

Alan.
Yesterday I got an interesting SPAM that looked very much like the scam you see here.

Without seeing the original link its hard to say. The link you have posted is the link directly from the URI in the email, or it is the URI you were redirected to by a short link?

If it is a spam email, the link could be sending you through and endpoint that is looking to exploit clients that match particular parameters. 1 of 2 things happen.

1. They run scripts, detect your client is exploitable, compromise the machine and then redirect you to Bank of America's site.
2. They run scripts, detect you're not exploitable and then redirect you to Bank of America's site.

Put the link through https://virustotal.com and see if it comes back with anything.

However, there is certainly the possibility that BankOfAmerica (never heard of them, but I'll assume they are a legitimate bank) have, themselves, been hacked, and a dodgy sub-domain has been setup (for example).

Just a small company with over 20 million customers and over $200 billion USD in assets. Not many have probably heard of them :)

You would be talking about a compromise of DNS, mail and PKI in that scenario. In a developed country with a developed and robust financial system like the US, UK, Australia, etc. this is not going to happen without someone noticing. In general large banks are quite battle hardened organisations that are under unrelenting attack 24/7. Working in infrastructure and security in the finance sector myself, a lot of controls are in place to prevent this sort of scenario playing out. Impossible, no, but it is not certainly the possibility.
Dr. KlahnPrincipal Software Engineer

Commented:
It's quite easy to make a bogus URL look legitimate.

<a href="http://www.phishingsite.com/badactor">http://bankofamerica.com</a>

Open in new window


and then once there, the bad actor captures the address bar and makes it all look legit.

In general I never trust emails with URLs.  I go to the site manually instead.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

btanExec Consultant
Distinguished Expert 2018

Commented:
Phishing email messages (fraudulent emails that appear to be legitimate) usually contain features that reveal their true intent – if you know what to look for:

Often the message doesn’t address you by name. It also implies urgency, attempting to get you to act quickly before you have time to carefully read the message or examine it thoroughly.

If you hover over a link in a phishing email, it will usually show you that it's pointing to a site different from the one stated in the message. The goal is to get you to click through to a web page where you’ll be asked to provide personal information or open an attachment that may be malicious.

Phishing messages often contain grammar and/or spelling errors.

In fact for bill pay, the legitimate login page would be look something like the below and from staticweb host and not billpay-ui.

https://staticweb.bankofamerica.com/cavmwebbactouch/common/index.html#home?app=signonv2&targetapp=billpay&targetpage=home&source=deeplink

Suggest you report a suspicious email:  abuse@bankofamerica.com.

More information in reporting suspicious activity in
https://www.bankofamerica.com/privacy/report-suspicious-communications.go

See the remaining online banking service
https://www.bankofamerica.com/online-banking/sign-in/
That link (https://billpay-ui.bankofamerica.com/imm/PaymentCenter/Index/) is legitimate if you visit the site and log in, but a spammer displays legitimate links while hiding the redirect to some other scam link.  You also can't go to the link directly.  It will go to the login page and you will still have to click the bill pay button to connect.

You would actually go to www.bofa.com because that's a much shorter link to type out.  They own that link that will redirect to the full name.
Bill PrewTest your restores, not your backups...
Top Expert 2016

Commented:
This is why I almost always "preview" the links in Outlook before actually clicking on them, unless I am 100% confident they are from a trusted source.  It's easy to do, just hover over the link, and then look at the true "behind the scenes" URL that you will be taken to when you click on that link.  Often they will be different and that's a first red flag.  Then you need to carefully inspect the destination URL and make sure it is legitimate.  Often I will retype just the major part of it with a safe site address that I know of, and then navigate to the feature I need (like logon, for example).  Yes it can take a bit more work, but it can save you some pain too if the destination was not the real site.

A couple of decent articles detailing this practice...



»bp
btanExec Consultant
Distinguished Expert 2018

Commented:
Indeed legitimate and it is fronted by Akamai a CDN

Billpay-ui.bankofamerica.com      CNAME      3600      bofaeas.fiservapps.com.

bofaeas.fiservapps.com      A      30      208.235.248.149

https://www.abuseipdb.com/whois/208.235.248.149
We used to be able to see the full "ugly" link, so that we know exactly where it's going to.  Unfortunately, marketing scammers and CxOs and ad agencies want everything looking "clean".  I hate Outlook because you have to do extra just to view everything in its raw form.  I have to use it for work now, but for home, I still use Thunderbird and sometimes pine or mutt, and I set it to always see the full headers links to every site to make it easier to spot the scammer links.  Outlook just tries to hide it all.  Microsoft wants you to get scammed.

Outlook is just the most horrifically made crippled web browser in existence.  Unfortunately, business has adopted it because of  the integrated Exchange Calendar, but it's a terrible program that crashes a lot and has so many issues that I never had to deal with when people just used thunderbird, pine, or mutt or even Apple Mail.  Someone at Microsoft needs to learn UI and how to keep it simple.
rberkeConsultant

Author

Commented:
It turns out to be a 100% legit email.

It turns out that when I set up my wife's credit card 5 years ago we used my email address.
But, both she and I have been getting paper statements for 5 years so I never saw any previous emails like this.
rberkeConsultant

Author

Commented:
It turns out to be a 100% legit email.

It turns out that when I set up my wife's credit card 5 years ago we used my email address.
But, both she and I have been getting paper statements for 5 years so I never saw any previous emails like this.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial