When a bank site hosts a phish

At SophosLabs, we receive an assortment of bank phishes every day. In this day and age, banks are taking immediate actions in bringing down phish pages down to protect their own customers.  Banks also secure their websites to prevent compromise attempts. So, what we encountered today is something that can only be considered a rare occurance. We received the following phish today:

Poste.it phish

This particular image phish targets the Italian bank Poste Italiane. The phish itself (in Italian) entices users to go to the link in order to receive 250 Euros worth of “loyalty bonus”. The phish itself is fairly typical. The link in the message goes to a compromised domain controlled by the phisher. Instead of the phish hosting on this compromised domain, a HTTP redirect is used to send the user to a second domain, where the phish page resides:

Poste Italian phish on fjsb.com

This is where my investigation took an unexpected turn.  The domain hosting the phish page, fjsb.com, seems to be a owned by Fort Jennings State Bank, a private, local bank serving the state of Ohio. The homepage of the bank is as follows:

fjsb.com homepage

The site’s design was a throwback to the early days of HTML and the site itself does not have a lot of the fancy menus and drop down lists that most banks now uses. It took some further investigation to confirm the ownership of the domain.

So what is happening here? It would seem that we have a bank in the US hosting a phish site of an Italian bank.  This goes to show that all sites (even bank or military sites) may be compromised and be used for malicious purposes (such as a phish campaign). We have notified the webmasters of Fort Jennings State Bank and the phish site has since been taken down. As a side note, the compromised site linked directly by the phish message itself now redirects to another compromised site.  For Sophos customers, our anti-spam products detects this phish campaign even though the redirection link has changed.