Close-up of a fake Google Sponsored Ad result for Commercial Bank Sri Lanka, showing the phishing domain comdank.online above the real ComBank search result.
| |

Commercial Bank Users Beware

Posted on Updated on

Today, Sri Lankans searching for Commercial Bank or ComBank Digital on Google were met with danger right at the top of the page. The first result — marked Sponsored — wasn’t the bank at all. It was a phishing website using the domain comdank.online, redirecting to id.combankdigital.online.

Screenshot of fake Commercial Bank Sri Lanka Google Ad linking to comdank.online instead of the official ComBank login.
The fake Commercial Bank login appeared as the first Sponsored result on Google.

🎭 How the Scam Worked

The attackers bought Google Ads for search terms like Commercial Bank Sri Lanka, ComBank login, and ComBank Digital.

  • Victims who trusted the top result clicked the ad.
  • They were directed first to comdank.online.
  • From there, the site redirected them into id.combankdigital.online — a fake copy of the ComBank Digital login page.
Phishing website imitating the ComBank Digital login page from id.combankdigital.online used in the Commercial Bank scam in Sri Lanka.
This phishing page copied the ComBank Digital portal to trick Sri Lankans into entering their details.

The fake page looked identical to the real portal. Anyone entering a username and password was shown a “Please wait” loading screen.

Fake loading screen on comdank Sri Lanka phishing site showing Please wait message after entering Commercial Bank login details.
After entering login details, victims were shown this fake “Please wait” screen.

From testing, here’s what likely happened behind the scenes:

  • The phishing kit appeared to relay credentials live into the real Commercial Bank login.
  • If details were valid, it could then prompt the victim to enter their OTP SMS code, completing the takeover.
  • If details were invalid (as in my test with fake data), the site displayed an error such as “Invalid credentials” or “Account locked.”

While there are no confirmed victims, the setup strongly suggests this was a real-time phishing kit built to bypass OTP-based security.

🕵️ Cloaking: How They Hid the Site

This wasn’t an amateur scam. The phishing site used cloaking techniques to hide:

  • Typing comdank.online directly showed a harmless restaurant page or a 403 Access Denied error.
  • Clicking through the Google Ad showed the fake ComBank login.
  • The phishing URL even included OAuth-style parameters (client_id, nonce, code_challenge) to look technical and legitimate.

This makes the scam much harder for CERT or investigators to detect.

Access denied error page shown when visiting comdank.online directly, part of the fake Commercial Bank Sri Lanka phishing attack.
Visiting comdank.online directly showed a 403 error — a cloaking trick to hide the phishing site.

📉 The Ad Has Been Taken Down

The fraudulent Google Ad has now been removed. But that doesn’t mean the threat is gone. Scammers can easily launch the same attack again tomorrow with a fresh domain name.

Today it was comdank.online and id.combankdigital.online. Tomorrow, it could be another variation.

🏦 ComBank’s Official Response

Commercial Bank moved fast to warn customers. They have:

  • Issued a special notice about fake websites
  • Sent emails to customers warning them to always check the URL
  • Shared their official secure links:
    • https://www.combank.lk/digitalbanking/
    • https://www.combankdigital.com

Here is the official notice from ComBank:

Official Commercial Bank Sri Lanka notice warning customers about phishing scams and fake ComBank login websites.
Commercial Bank issued this official notice warning customers about phishing websites.

🛡️ How to Protect Yourself

  1. Don’t trust the top ad result. Scroll down and click the official bank link.
  2. Always type the URL manually: www.combank.lk or www.combankdigital.com.
  3. Check spelling carefully — “comdank” is not “combank.”
  4. Look for HTTPS (the padlock).
  5. Never share OTPs or passwords. The bank will never ask for them.
  6. If you entered details into the fake site:
    • Call ComBank immediately → 1316 or +94 11 235 3353
    • Reset your Digital Banking password
    • Monitor your account for unusual activity

🌍 Has This Happened Before?

This is the first time we’ve seen a phishing scam in Sri Lanka abusing Google Ads cloaking. But it’s not the first phishing campaign overall. Locally, we’ve already seen:

  • SMS scams pretending to be banks, Abans JBL, and telecom companies
  • WhatsApp/Telegram job scams (STX Entertainment, Essential, SG Bike Mart)
  • Fake shopping sites promoted on Facebook Ads

Globally, Google Ads phishing is not new. In 2023–2024, banks in the US, UK, and India reported attacks where ads led users to fake login portals. Some of those kits also used real-time OTP relays, just like this one appears to have been designed to do.

The fact that this method has now surfaced in Sri Lanka means our scam landscape is evolving to global levels of sophistication.

🔮 The Bigger Picture

Today, it was Commercial Bank. Tomorrow, it could be Sampath, HNB, People’s Bank, or BOC.

This was not a cheap SMS blast. It was an advanced phishing kit:

  • Leveraging Google Ads trust
  • Using cloaking to stay hidden
  • Built to bypass OTP two-factor authentication

Even the most careful users could be tricked. Because who expects the first result on Google to be fake?

DEBUGGER’s Note:

This attack shows just how fast scams in Sri Lanka are evolving. The site wasn’t just after usernames and passwords — it was likely built to fool OTPs too. That’s why this is terrifying.

Know the Threat. Stop the Attack.
– DEBUGGER

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *