Link to home
Start Free TrialLog in
Avatar of Robert Berke
Robert BerkeFlag for United States of America

asked on

Can it be a scam if a shortcut points to https://xxxx.bankofamerica.com/xxxx

Yesterday I got an interesting SPAM that looked very much like the scam you see here.

I right clicked on the shortcut and copied it to the clipboard then pasted it into chrome on my test machine.  It takes me to what appears to be a legit bankofamerica website.  I have attached a screenshot.  I did not enter my passwords, but it sure looks 100% legit to me.

Here is the url:  https:/ / billpay-ui.bankofamerica.com/ imm/ PaymentCenter/ Index/ 8404?csbi=644077671&b0=20190916192841396056
I have added a space after each / to make it safe.


I've been told that some legitimate looking URL's will automatically redirect me to a bogus website, but how does that work? If the domain controller does the redirecting wouldn't bankofamerica.com avoid a bogus address? Or does the redirecting occur on the routers that the packets hop through?

In other words how can this particular link get me in trouble?
ee-bankofamerica.png
Avatar of Alan
Alan
Flag of New Zealand image

In general, I'd say 'No - It is legitimate'.

However, there is certainly the possibility that BankOfAmerica (never heard of them, but I'll assume they are a legitimate bank) have, themselves, been hacked, and a dodgy sub-domain has been setup (for example).

Hope that helps,

Alan.
ASKER CERTIFIED SOLUTION
Avatar of Aard Vark
Aard Vark
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Dr. Klahn
Dr. Klahn

It's quite easy to make a bogus URL look legitimate.

<a href="http://www.phishingsite.com/badactor">http://bankofamerica.com</a>

Open in new window


and then once there, the bad actor captures the address bar and makes it all look legit.

In general I never trust emails with URLs.  I go to the site manually instead.
Phishing email messages (fraudulent emails that appear to be legitimate) usually contain features that reveal their true intent – if you know what to look for:

Often the message doesn’t address you by name. It also implies urgency, attempting to get you to act quickly before you have time to carefully read the message or examine it thoroughly.

If you hover over a link in a phishing email, it will usually show you that it's pointing to a site different from the one stated in the message. The goal is to get you to click through to a web page where you’ll be asked to provide personal information or open an attachment that may be malicious.

Phishing messages often contain grammar and/or spelling errors.

In fact for bill pay, the legitimate login page would be look something like the below and from staticweb host and not billpay-ui.

https://staticweb.bankofamerica.com/cavmwebbactouch/common/index.html#home?app=signonv2&targetapp=billpay&targetpage=home&source=deeplink

Suggest you report a suspicious email:  abuse@bankofamerica.com.

More information in reporting suspicious activity in
https://www.bankofamerica.com/privacy/report-suspicious-communications.go

See the remaining online banking service
https://www.bankofamerica.com/online-banking/sign-in/
That link (https://billpay-ui.bankofamerica.com/imm/PaymentCenter/Index/) is legitimate if you visit the site and log in, but a spammer displays legitimate links while hiding the redirect to some other scam link.  You also can't go to the link directly.  It will go to the login page and you will still have to click the bill pay button to connect.

You would actually go to www.bofa.com because that's a much shorter link to type out.  They own that link that will redirect to the full name.
This is why I almost always "preview" the links in Outlook before actually clicking on them, unless I am 100% confident they are from a trusted source.  It's easy to do, just hover over the link, and then look at the true "behind the scenes" URL that you will be taken to when you click on that link.  Often they will be different and that's a first red flag.  Then you need to carefully inspect the destination URL and make sure it is legitimate.  Often I will retype just the major part of it with a safe site address that I know of, and then navigate to the feature I need (like logon, for example).  Yes it can take a bit more work, but it can save you some pain too if the destination was not the real site.

A couple of decent articles detailing this practice...



»bp
Indeed legitimate and it is fronted by Akamai a CDN

Billpay-ui.bankofamerica.com      CNAME      3600      bofaeas.fiservapps.com.

bofaeas.fiservapps.com      A      30      208.235.248.149

https://www.abuseipdb.com/whois/208.235.248.149
We used to be able to see the full "ugly" link, so that we know exactly where it's going to.  Unfortunately, marketing scammers and CxOs and ad agencies want everything looking "clean".  I hate Outlook because you have to do extra just to view everything in its raw form.  I have to use it for work now, but for home, I still use Thunderbird and sometimes pine or mutt, and I set it to always see the full headers links to every site to make it easier to spot the scammer links.  Outlook just tries to hide it all.  Microsoft wants you to get scammed.

Outlook is just the most horrifically made crippled web browser in existence.  Unfortunately, business has adopted it because of  the integrated Exchange Calendar, but it's a terrible program that crashes a lot and has so many issues that I never had to deal with when people just used thunderbird, pine, or mutt or even Apple Mail.  Someone at Microsoft needs to learn UI and how to keep it simple.
Avatar of Robert Berke

ASKER

It turns out to be a 100% legit email.

It turns out that when I set up my wife's credit card 5 years ago we used my email address.
But, both she and I have been getting paper statements for 5 years so I never saw any previous emails like this.
It turns out to be a 100% legit email.

It turns out that when I set up my wife's credit card 5 years ago we used my email address.
But, both she and I have been getting paper statements for 5 years so I never saw any previous emails like this.