Yet Another Vishing (phone phishing) Incident

Hello, you've reached _______ Bank:

  • If you would like to check your balance, press 1.
  • To be connected to an operator, press 2.
  • To compromise your banking account, enter your 16 digit card number followed by the expiration date.

Visherman_1

No, I didn't make up the name for this new type of phone phishing recently labeled Vishing. Yes, Vishing is probably not the best name but it was the first offered, so it will probably stick.

As mentioned in previous posts, this new type of phishing using phone/voicemail is becoming more common. The most recent incident involves Santa Barbara Bank & Trust.

The MO is the same, spam people with fraudlent email asking them to call their bank and confirm their account details, the customer calls what they believe is their bank and ends up disclosing their account details to the automated phone system (and thereby the phishers). Websense grabbed the voicemail recording so you can hear the message and understand how it actually works.

The Phishing Incident Reporting and Termination (PIRT) Squad is updating the status of this phish.

How can you protect yourself? Use caution and refer to the company's website to confirm their officially listed phone number to avoid falling victim in cases like this.

Posted by jono2u on June 23, 2006 at 01:00 PM in Phishing & Spam | | Comments (0) | TrackBack (0)

|

Phishing by Phone

Back in April, fellow blogger Matt was theorizing about a new type of phishing where the phish used a phone system to obtain your information rather than stealing it through a website. Well, it looks like that theory has become reality.

Recently a phishing email was detected that didn't ask you to view a certain spoofed website, rather, it asked you to call Chase Bank at a phone number and input your information through their system. Problem is, it isn't Chase. The phone number in the email was actually controled by the phishers as was the automated touch-tone system that requested your SSN, Account Number, etc.

Here is a copy of the email phish:

Dear Customer,  We've noticed that you experienced trouble logging into Chase Online Banking.  After three unsuccessful attempts to access your account, your Chase Online Profile has been locked. This has been done to secure your accounts and to protect your private information. Chase is committed to make sure that your online transactions are secure.  To verify your account and your identity please call our Account Maintenance Department at *(888) 555-3406* 24 hours / 7 days a week. 

Sincerely,

Chase
Online Customer Service

In Corporate IT security, there is a lot of talk about end-user education -- in effect, teaching the employees how to be safe and secure with corporate data. I think this phone phishing example is a case where end-user education is one of the only options. In this case, how do you know who you are calling and how can you confirm it? The 6.5 version of ZoneAlarm goes a long way to protecting you in the offline realm, but I can't see how any software, credit opt-out, monitoring or detection can protect someone from picking up the phone and dialing a phony number -- end-user education and caution may be the only option in this case.

Maybe the best suggestion is to use caution and refer to the company's website to call their officially listed phone number to avoid falling victim in cases like this.

Posted by jono2u on June 14, 2006 at 10:26 AM in Phishing & Spam | | Comments (1) | TrackBack (0)

|

Home users hosting phish

Here is an example of some person's home machine hosting a phish:

Homeuserphish_2

Phishers often use automated scanners to find, exploit and load phishing kits onto compromised machines. As you can see, this phisher loaded five phishing kits on this one compromised system: two eBay phishes, one paypal phish, and two banks.

The CastleCops Phishing Incident Reporting and Termination (PIRT) Squad shows this phish as terminated. You can take a look at the handler notes explaining how this specific phish was taken down.

Posted by jono2u on June 02, 2006 at 03:50 PM in Phishing & Spam | | Comments (0) | TrackBack (1)

|

The self-defeating nature of phishing

While spammers sell more the more they spam, the opposite is true for phishing.

We know spam when we see it. Most of us don't like it, but let's face it, there are some people out there who buy what is advertised. If that were not the case, spammers would give up. It is safe to assume that increasing spam increases sales ever so slightly. Either the delivery becomes more appealing or the constant reminder makes some people break down and try it. In comparison, I can't imagine who would watch shopping channels and buy but obviously some people do. Personally, I've blocked all the shopping channels so my family won't be blighted with them.

Phishing works differently and this is profoundly important. It works by looking like the real thing and fooling the naive reader. While most of us spot a phishing email rather easily - our bank just wouldn't send us this message - obviously some people are fooled. But the problem is that each phishing email works like an innoculation. It builds our resistence to the next message. It makes people more wary. Not even the slightest part of us wants our bank account plundered while there is a little voice in all of us saying it would be kinda nice to lose a few pounds or to stay up longer .. at night .. ah come on! I meant caffeinated drinks when you're tired!

So while more spam increases sales ever so slightly, more phishing should reduce success because we get better and better and spotting them.

Posted by jcgrant on May 31, 2006 at 10:09 AM in Phishing & Spam | | Comments (0)

|

Identity Theft Linked with Incontinence, “PayPal” says...

Years back, spotting a phish was easy -- simply look for typos. Today, not so easy -- unless you get one like this, which will both prevent you from logging in and probably make you laugh:

Phishtypo3

Posted by jono2u on May 19, 2006 at 02:18 PM in Phishing & Spam | | Comments (1) | TrackBack (1)

|

Spamming the spammers?

Wired reports that Blue Security has escalated the fight against spam by sending mass quanities of email to the spammers themselves:

Blue Security's controversial method uses reverse spam, if you will, returning massive quantities of opt-out messages to companies it identifies as spammers.

But the spammers seem to have found who has signed up on Blue's security list and started spamming them directly:

"We have devised a method to retrieve your address from their database," one message states. "So by signing up and remaining a Blue Security user not only are you opening yourself up for this, you are also potentially verifying your e-mail address through them to even more spammers."

We'll keep you updated as this situation evolves.

5/10 UPDATE:

Blue Security has come under severe DDoS attack which bled over into other blog hosting companies -- resulting in slow-downs and lack of response on some effected blog sites.

5/17 UPDATE: Wired News Reports:

 Blue Security CEO Eran Reshef said the Israel-based company was closing its service Wednesday since he did not want to be responsible for an ever-escalating war that could bring down internet service providers and websites around the world and subject its users to denial-of-service attacks from a well-organized group in control of a massive army of computer drones.

Brian Krebs reports the DDoS is now taking Blue Security's final surrender message offline:

Hours after anti-spam company Blue Security pulled the plug on its spam-fighting Blue Frog software and service, the spammers whose attack caused the company to wave the white flag have escalated their assault, knocking Blue Security's farewell message and thousands more Web sites offline.

The Blue Security site is officially offline....

Posted by jono2u on May 08, 2006 at 04:55 PM in Phishing & Spam | | Comments (0) | TrackBack (0)

|

Just when I thought I was smart a Chase Bank phish swims by

Recently I started investigating checking account options at various banks. So when I just received an email from Chase Online Banking I thought nothing of clicking it. Immediately after, I realized I'd written to Citibank and that I never have even been to Chase's website. Argggh.

And, on my personal computer where I read the mail, Thunderbird also thought nothing of it. While often valid messages have "Thunderbird thinks this is a scam" there was no such message on this scam. Arggh 2.

What is the solution? Never click on links in emails that go to secure sites. As I discussed recently with someone at PayPal, the sure fire answer is to go directly to the site that (allegedly) emailed you. Log in from there rather than click links in emails. If it suddenly dawns on you that you don't have an account with that organization, well, you'll know it was definitely a phishing scam.

Now all I have to do is remember my own advice!

Securely yours,

Susie

PS - Two weeks after writing this, I received a new credit card I had applied for. Turns out the issuing bank was Chase. "So that Chase email was a real after all," I thought. Until hours later when I learned there had really been a slew of Chase Bank email phishing attempts.  Argh!

Have you been duped?

Posted by ZoneAlarm on April 17, 2006 at 01:12 PM in Phishing & Spam | | Comments (0)

|

Phish Stew

Recently, I received an email from a favorite online store of mine, warning me that my order is on hold and that I need to call American Express to authenticate and validate the charge. In the email I was provided a phone number and a case number. It was presumably for a real order I had placed -- so I called.

Then things got real weird. Once I phoned the provided number, I was greeted with an automated touch-tone system asking me to key in my credit card number. It sounded fake. When I call American Express, I expect their automated phone tree systems to use professional voice talent and not the customer service manager's voice (not that it was -- I don't know). Now, being the paranoid guy I am, I didn't enter my credit card number as requested. Instead, I hit 0 or # or whatever to get to a real operator. After a few minutes of speaking to the fraud prevention representative, the charge was approved and the retailer notified.

Now I do like the fact that American Express flags potential fraudulent transactions. And I do like that my retailer immediately notified me that the order was on hold. But I think they go about it all wrong and that it's just a big phishing scam waiting to happen.

Imagine this: an email lands in your inbox saying that a recent purchase at Amazon.com has been put on hold for approval by your credit card company. Like the email I received, you are provided with a phone number and case number. You call this phone number and when prompted you enter in your credit card number, expiration, and CV2 code. You then enter in the case number. Finally, the automated system  asks you to approve or disapprove the charge in question for the case number you provided. Since you had recently made an Amazon.com purchase, you say yes. You hang up thinking all is well and good.

Here's what really happened: some clever person in a far-off country has signed up for an 800 number VoIP service. They've got their VoIP service set up to terminate on an Asterisk box they have at their house or ISP or wherever. They've also gone through the trouble of setting up an automated voice prompting script that asks callers to key in their credit card number, CV2, and expiration date. In other words, they've created a "spoof" automated fraud prevention system much like American Express currently uses. Too expensive to pull off, you might think? Not if you consider that VoIP is dirt cheap, and Asterisk is free. I can't imagine it would be too hard to obtain VoIP service using a stolen credit card, either. The last part of the equation is spamming the world with a fake "fraud alert" email purporting to be from a major retailer like Amazon (much like the legit one I received). The likelihood that this phishing email will arrive in the mailbox of someone who has recently bought something at Amazon is quite high. I'm sure there are a handful of other vendors that have significant online sales volume, too -- they would certainly be just as vulnerable to this sort of phishing attack.

The point of this blog post, though, is not to spell out some great new way for hackers to rip off more unsuspecting people. Rather, this whole experience stopped to make me think about just how massive a problem phishing could turn into. I no longer think of phishing as just some dumb email trick that tries to fool me into going to a (usually) fake-looking web site. I fully expect next generation attacks to incorporate "offline" methods for scamming card numbers out of unsuspecting consumers. While black listing or flagging phishing web sites is one small step towards solving the problem, I believe the real solution is stopping the email scams from ever arriving.

If anything, this is just another sign that the Internet email system is in need of an overhaul. In our current legacy email system, there's no "built-in" way to know that some email is really who it says it is from. And until a sender verification method like Sender Policy Framework (SPF) is adopted, Internet users will continue to receive progressively more sophisticated phish emails.

In the meantime, what can you do?

  • Do not click links in emails from ecommerce sites. Directly type the URL into your browser's address bar.
  • Do not give out personal information to people who call you. This is an illegal  practice the Federal Trade Commission calls "pretexting."
  • Only give out information to phone representatives that you have telephoned, using phone numbers from official sources (such as the website that you typed in or correspondence that you know is official). The Department of Justice has more information about telemarketing fraud.

Posted by matthite on April 11, 2006 at 02:52 PM in Phishing & Spam | | Comments (1) | TrackBack (0)

|

Serious IE Address Bar Spoofing Vulnerability

Secunia is reporting about an IE address bar spoof that looks very serious. I'm sure phishing groups will include this in their phishing attack kits shortly. We'll keep an eye out for phishers using this attack and post more information/update this blog as we see it.

Details from the Secunia Advisory:

The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.

You can also test your browser to see what it looks like, if you are vulnerable, by clicking here.

What's the solution? Try an alternate browser -- you might like it...

Posted by jono2u on April 05, 2006 at 02:07 PM in Phishing & Spam | | Comments (0) | TrackBack (0)

|

Tips for Deciding if Email is Spam or Real: Yahoo mail examples

Recently I've noticed a proliferation of spam messages coming to my Yahoo! mail that appear to come from a Yahoo! address - most often "info@yahoo.com." It's easy to see why someone newish to the Internet might worry that these are official messages from Yahoo!

Yahoospam_3_1

In this posting, I've attached a screenshot of 3 messages I received in a row that are trying to "scare" me into clicking to see what's the matter with my Yahoo! mail account. (Click the tiny image to see the actual message subjects.)

Here's how I know these are spam - and some tips for how you can tell when a message is spam.

For one thing, Yahoo! never sends mail where the "from" is merely an email address like "info@yahoo.com." It's always the name of the related service.

Message #1: "Your account has been suspended."
How I know this is spam: I had to access the account to get the message. Thus it's not possible for it to be suspended when I just signed in. End of story!

Message #2: "You have successfully updated your password."
How I know this is spam: I had not updated my password. Thus - there is no way my password could get updated. OK let's say you're worried someone got access to your account and updated your password.

What is the surefire way I know this is spam? I just signed into my account using my old password. This confirms that my password has not been updated by anyone!

Message #3: Detected: Online User Violation
This is just silly and completely vague.
How I know this is spam: I have not done anything that would result in a "violation." Perhaps these are the emails that go to people who abuse Yahoo's email system. If you have done nothing wrong, never for a second believe Yahoo! would send you such a message.

Message #4: Important Notification

How I know this is spam:  Yahoo! never sends me emails with vague, general subject lines like this.


Disclaimer: As they say in the financial world "past results are no guarantee of future results." Who knows what the spammers or Yahoo! will do next. But hopefully this bit of advice will save you some harmful clicks on spam mail!

Here are instructions from Yahoo! about how to report spam mail.

Posted by ZoneAlarm on April 03, 2006 at 09:18 AM in Phishing & Spam | | Comments (0)

|

« Previous | Next »