A fake bank with SSL - amanahsahammalayanbank.com

A previous entry also dealt with this topic, but this fake bank deserves it's own entry, if only because it highlights issues which have allowed this fraudulent bank to continue in being able to defraud the public long after it should have been suspended.

http://amanahsahammalayanbank.com/

From the whois:

Queried whois.internic.net with "dom amanahsahammalayanbank.com"...

   Domain Name: AMANAHSAHAMMALAYANBANK.COM
   Registrar: EVERYONES INTERNET, LTD. DBA SOFTLAYER
   Sponsoring Registrar IANA ID: 925
   Whois Server: whois.softlayer.com
   Referral URL: http://www.softlayer.com
   Name Server: BETH.NS.CLOUDFLARE.COM
   Name Server: WILL.NS.CLOUDFLARE.COM
   Status: ok http://www.icann.org/epp#OK
   Updated Date: 18-feb-2015
   Creation Date: 16-feb-2011
   Expiration Date: 16-feb-2016

We can see that this alleged bank site has been in operation for four years, which is highly unusual for a fake bank site. In fact, at first glance this appears to be a legitimate bank site, it even has an SSL certificate on it's login page, again highly unusual for a fake bank site.

 https://ebank.amanahsahammalayanbank.com/logon/

However, the SSL certificate issued to this bank is not the Extended Validation Certificate a legitimate bank would have, but just a normal SSL certificate that any domain owner can obtain, which is suspicious, but not conclusive evidence of this site being fake, so lets examine this site a little bit closer.

Many fake banks impersonate or copy legitimate banks, and this site is no different in that regard. It's copying the legitimate Kumari bank in Nepal, although this site claims to be a bank in Malaysia.

http://amanahsahammalayanbank.com/Contact.html

However a search of the Central Bank of Malaysia's list of licensed banking institutions reveals that this bank is not licensed in Malaysia.

There is also a SWIFT code on this page which it's claimed belongs to this bank, well those can be checked too, and in this case, it doesn't exist.

So it's now clear that this a fake bank site, and it should be a simple matter to inform the host and registrar of this abuse of their services.

Well, its a little more complicated than that, if we look again at the whois record for this domain:

Name Server: BETH.NS.CLOUDFLARE.COM
Name Server: WILL.NS.CLOUDFLARE.COM

This fake bank uses Cloudflare, a pass through service, so while the whois lists Cloudflare as the hosting provider, they actually don't host the domain.

So we can inform CloudFlare, and hope that they remove their support for this fraudulent domain or at least pass the information back to the real hosting company.

When it comes to informing the registrar, again things are not as simple as it seems. While SoftLayer is listed as the Registrar according to the whois info, the domain was registered through a reseller, UKCheapest.

Here we have a clear example of a fake site using an SSL certificate to provide it's victims with a false sense of reassurance that this is a legitimate bank and using a pass through service to hide it's true location on the internet, and all attempts to inform the companies responsible for allowing this site the freedom to scam over the past year have resulted in exactly nothing.

+SoftLayer, despite being the Registrar, continue to claim that as the site is not on their network they can't do anything.

UKCheapest, the reseller, at one point said they had escalated the matter, but nothing came of it.

+CloudFlare, Inc. claim that as they are not the true hosts they can't do anything.

In fact, the only companies that have taken any action, so far, have been the Certificate Authorities who have revoked their SSL Certificates after being informed of what their certificate is securing.

While the host, reseller and Registrar fail to act, the scammers behind this fake site are free to obtain yet another SSL Certificate to continue their scam.

Blogger, Nigerian Customs Impersonation and Googles lack of interest

The company that enables and allows me to post this blog, also has several tales of shame to tell if you know where to look. This is only the first of these tales.

For our first example we have: http://customsng.blogspot.com/, which claims to be the Nigerian Customs Service website.

This is to most people laughable, even without knowing that the legitimate Nigerian Customs Service website is https://www.customs.gov.ng/index.php, no government anywhere has ever used a free service, or blog, to host their official website.

And yet even knowing this, this fraudulent blog has been is existence, according to the 'nigeria customs' Blogger profile that created it, since March 2013. Let that sink in for a moment, Google has allowed a fake blog to impersonate a legitimate Nigerian Government service for over two years. Maybe they didn't know it existed?

I've been reporting this fake blog to them since April 2014.

Most services that host free sites or blogs allow anyone to either email or fill in a web form to report abuse, which they then investigate and act accordingly, removing or suspending any content they agree to be abusing their services,  and Google does this too.

So why haven't they removed this fake blog?

Well, because any abuse email to Google gets this auto-response:

"Hello,

Please note that this is an automated message, and responses to this message will not be reviewed. For all legal removal requests, please fill out our web form at http://support.google.com/legal.

For more information or support with other issues, please see the following links:

Removing outdated information from Google's search results: https://www.google.com/webmasters/tools/removals

Google Search removal policies: https://support.google.com/websearch/answer/2744324?hl=en

Support for Google's products and services: http://support.google.com/?hl=en

Google's Privacy Policy: http://www.google.com/intl/en/policies/privacy/

Regards,
The Google Team"

At least it points to alternatives. So lets look at the alternative that applies to this blog. http://support.google.com/legal which leads to a web page where you need to fill in the options, firstly which service is being abused, in this case blogger, and are then confronted with multiple options.

The only one which mentions impersonation requires that the reporter be the person or entity being impersonated.

Perhaps the option needed is in the not mentioned above?

Unfortunately not.
You know this blog is fraudulent, you want to inform Google, as the hosting company of the abuse of their services, but they don't want to know, because this fraudulent blog doesn't fit any category of what they define as abuse of their services.

It gets worse. While reporting blogs to Google that can be made into one of the categories above, which they will remove, albeit slowly, I also asked them to investigate this blog as well.

While all of the other fraudulent blogs were removed, this one continues to carry on in assisting to defraud the public.