The text of the email reads (errors included):
In the capture you can see how the mail looks:Dear Customer,
Due to the importance for the security and integrity of our services we have decided to send you the following alert message in which we inform you that for your SECURITY.
We have implemented the new BANCOLOMBIA PROTECTED IDENTITY system.
- Publicidad -In Bancolombia we care about your safety, for this reason you will receive this notification automatically whenever necessary.
To avoid blockages and suspension of the services offered in our virtual branch, access your account with your user by clicking on the following link that will take you directly to our Website. If the access is successful our system will remove the block immediately and you can continue to enjoy all our services.
https://www.bancolombia.com <-- fake link pointing to bit.ly link
Bancolombia puts at your disposal, at no additional cost, new servers that have the latest technology in data protection and encryption.
GRUPOBANCOLOMBIA S.A. Banking Establishment.
As indicated in the email when posing the cursor over the link it is seen that it points to a link of Bit.ly, bottom left, while simultaneously in a message box just below right repeats the assumed address.
The link in the deceptive email was a shortened URL of Bit.ly, which we reported immediately, leads to another URL shortened from Ow.ly, difficult to find where to report, and which leads to the fake site in question.
As in previous occasions it is equal to the original, it is even observed that it takes the graphics and functions of the original site with a resemblance and links difficult to distinguish even for someone experienced. Of course the detail of the address is something that for now does not fail to realize the deception, as can be seen in the comparative capture of authentic and false site:
While writing this report and after having reported in Phishtank, Google SafeBrowsing and IE SmartScreen, we received another report from the same email:
This new one with a deceptive link pointed to a CO domain. CC which in turn redirects to a short URL of Ow.ly and this to another of Goo.gl which redirects to another CO domain. CC where the fake site is. From Segu-Info we proceeded to the corresponding complaints in the same way as before.
Obviously, the motivation to steal money, frustrated in part by the denunciations made by some members of the community, is enough to reassemble the site the same day elsewhere.
Criminals don't rest . . . and neither do we. ;-)
Raúl de la Redacción de Segu-Info
