Here's a fairly standard bank phishing e-mail, targeting a bank in India:
Nice touch with that "Beware of Phishing" warning…
Let's look at the attached HTML file:
You got to be kidding me? The page has redirection to http://amen.fr.softms.com.netwayexchange.com.liberty-textiles.org.v2nmobile.com.manchesteraircooled.com.blackcountrymortgages.com.cardiorenew-europe.com.solhosts.com.giveupthecigs.com.extravite.com.taxrepay.co.uk? That hostname can't possibly work…
Except it does.
The redirection goes to reserve.bank.minecraftarena.fr. And the front page of minecraftarena.fr shows a fake "account suspended" message. Nice touch.
The phishing page looks like this:
The ultimate target of the attack is to collect bank logins and credit card numbers:
