A fake bank with SSL - amanahsahammalayanbank.com

A previous entry also dealt with this topic, but this fake bank deserves it's own entry, if only because it highlights issues which have allowed this fraudulent bank to continue in being able to defraud the public long after it should have been suspended.

http://amanahsahammalayanbank.com/

From the whois:

Queried whois.internic.net with "dom amanahsahammalayanbank.com"...

   Domain Name: AMANAHSAHAMMALAYANBANK.COM
   Registrar: EVERYONES INTERNET, LTD. DBA SOFTLAYER
   Sponsoring Registrar IANA ID: 925
   Whois Server: whois.softlayer.com
   Referral URL: http://www.softlayer.com
   Name Server: BETH.NS.CLOUDFLARE.COM
   Name Server: WILL.NS.CLOUDFLARE.COM
   Status: ok http://www.icann.org/epp#OK
   Updated Date: 18-feb-2015
   Creation Date: 16-feb-2011
   Expiration Date: 16-feb-2016

We can see that this alleged bank site has been in operation for four years, which is highly unusual for a fake bank site. In fact, at first glance this appears to be a legitimate bank site, it even has an SSL certificate on it's login page, again highly unusual for a fake bank site.

 https://ebank.amanahsahammalayanbank.com/logon/

However, the SSL certificate issued to this bank is not the Extended Validation Certificate a legitimate bank would have, but just a normal SSL certificate that any domain owner can obtain, which is suspicious, but not conclusive evidence of this site being fake, so lets examine this site a little bit closer.

Many fake banks impersonate or copy legitimate banks, and this site is no different in that regard. It's copying the legitimate Kumari bank in Nepal, although this site claims to be a bank in Malaysia.

http://amanahsahammalayanbank.com/Contact.html

However a search of the Central Bank of Malaysia's list of licensed banking institutions reveals that this bank is not licensed in Malaysia.

There is also a SWIFT code on this page which it's claimed belongs to this bank, well those can be checked too, and in this case, it doesn't exist.

So it's now clear that this a fake bank site, and it should be a simple matter to inform the host and registrar of this abuse of their services.

Well, its a little more complicated than that, if we look again at the whois record for this domain:

Name Server: BETH.NS.CLOUDFLARE.COM
Name Server: WILL.NS.CLOUDFLARE.COM

This fake bank uses Cloudflare, a pass through service, so while the whois lists Cloudflare as the hosting provider, they actually don't host the domain.

So we can inform CloudFlare, and hope that they remove their support for this fraudulent domain or at least pass the information back to the real hosting company.

When it comes to informing the registrar, again things are not as simple as it seems. While SoftLayer is listed as the Registrar according to the whois info, the domain was registered through a reseller, UKCheapest.

Here we have a clear example of a fake site using an SSL certificate to provide it's victims with a false sense of reassurance that this is a legitimate bank and using a pass through service to hide it's true location on the internet, and all attempts to inform the companies responsible for allowing this site the freedom to scam over the past year have resulted in exactly nothing.

+SoftLayer, despite being the Registrar, continue to claim that as the site is not on their network they can't do anything.

UKCheapest, the reseller, at one point said they had escalated the matter, but nothing came of it.

+CloudFlare, Inc. claim that as they are not the true hosts they can't do anything.

In fact, the only companies that have taken any action, so far, have been the Certificate Authorities who have revoked their SSL Certificates after being informed of what their certificate is securing.

While the host, reseller and Registrar fail to act, the scammers behind this fake site are free to obtain yet another SSL Certificate to continue their scam.