Slashdot Mirror
Phishers Get Phoney
Nick Johnson writes to mention a new twist on phishing. From the article: "The spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it. The caller is connected to a voice response system that is made to sound exactly like the bank's own system. The phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN."
Makes me think that it is still the safest option to have customers do all their banking right at a teller.
where's all that Karma?
..do they know what bank i use? I've had emails from banks all over the world regarding my "account". The only email i havent got yet is from the bank i actually use!
To dare, is to do.
How do you defend against this one. Or one better what if
'the bank' called you and said your account had been compromised and they need to reset your password. 'to do so of coarse they need to verify your old password' or you can go-online and change your password.
What's the next step. Setting up a phony bank branch and asking you to come into it?
Maybe I should just start using only cash.
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
It seems that phishing is evolving but they are getting forced to use more risky (for the phisher) methods. A phone number feels more physical than a web presence so it should be easier to track besides this has to be breaking some "dont screw around with the phone" federal law.
The best test environment is production. - Me
chrome://browser/content/browser.xul
So, what if you enter a random number with random PIN. They have to go thru the trouble to make the card, only to find out it doesn't work. And their face pop up at the video camera's of the ATMs all the time with failed withdrawals.
Bert
My mum was called by a recorded message from my bank, asking for my date of birth, she assumed it was a fake (horrah!) and put in a wrong birth date. It turned out to be genuine, they were checking that my mistaken PIN attempts were me and not somebody else :)
No one will ever ask you for your account number or pin. This is not so much a new twist as good old basic social engineering. It stands to reason NEVER to trust any unsolicited form of communication unless you check it out and NOT by calling the number the phisher provides.
Fresh phish with a side of Skype, anyone?
Not to belabor the point that all the other posters have made so far -- it's just another example of human stupidity. If it doesn't occur to them to check at their local branch first then they're asking for trouble. Of course this ends up impacting senior citizens more than anyone. After all, given age and occasional infirmity, they'd be easy marks, probably trusting the phone more that email. I'm sure the spectrum of dupes is pretty broad, but mark the elderly especially vulnerable, mitigated by the fact that not too many of them are using the Internet as extensively.
To wander a bot off the topic, when they were building a new PNC Bank branch in my area, that had a Winnebago parked nearby that was apparently a mobile bank, with tellers and even an ATM machine in the side. Far from building a brick-and-mortatr branch, that seems a far more effective way of physically duping people, especially if you have all the trappings.
GetOuttaMySpace - The Anti-Social Network
http://www.collisiondetection.net/mt/archives/2005 /03/_next_time_you.html
Um, duh! If you don't check the numbers you deserve to have these nice people borrow your money. Anyway how is this "new"? I've seen phone numbers in scam email before.
one would think these guys would just seek gainful employment.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
If you have family or friends who are less than computer saavy, take the time to explain the issues and concerns to them. I get questions all the time about whether this or that is a scam or not. Do I get annoyed by it? of course! But it's certainly a lot less painful than having to deal with the after effects of someone who got stung.
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
Why should an insitution (not just banks) ask me for details they are supposed to already know?
No security technology or technique is strong enough to defy stupidity!
And phishing exploits stupidity!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
I wonder if these guys were stupid enough to use a "1-8XX" number. Oh the fun that could be had making them pay...
Phishing has gone extreme and so have the tactics.
The other day I walked up to what I thought was my bank and looked in only to find an empty lobby with a server and phone switching system behind the counter.
He who knows best knows how little he knows. - Thomas Jefferson
Safer in a bank? I've never received a phishing e-mail that included an armed robber. It's really simple; banks don't e-mail you asking for info.
Sounds like the banks need to add a security filter to their automated phone systems similarly to what they've begun doing on their websites... like Bank of America for instance now has a picture display above the password input, a picture that you pick out from a selection of pictures, which is pulled from a database and has a unique id. If the pic shown on the password input page is not the one you've selected, then you know you're on a phishing site.
For automated phone systems, there could be a word or phrase that you pick from a selection of phrases... when you use the system and put in your account number, it will ask you to confirm the following phrase is the one you selected, will repeat the phrase, you press a button to confirm, then if confirmed you put in your pin number.
No more phoney phishing
A fool throws a stone into a well and a thousand sages can not remove it.
I mean, arn't they fooling enough people in the status quo? Now, they have to pay people to act like they work for a bank, and have them on call 24/7.
The same stupid people are going to believe this (why would your bank email you asking you to call them?), so now the phishers will be losing money by paying actors, and not really getting enough extra to cover the cost.
Maybe it's me, but this makes no sense from a buisness standpoint.
Obligatory Soundbite Catchphrase
The answer is to take all your money, convert it into gold coins, then bury it in a chest on an uninhabited island. Don't forget to kill the pirates who helped you bury it before leaving. Celebrate with a bottle of rum.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
As for how this could be implemented, I'm not sure, but it seems to me that banks (working together) have enough technical skill and influence over their customers (and by extension, over the software their customers run) that they could make it work one way or another.
I don't care if it's 90,000 hectares. That lake was not my doing.
Just thinking that a likely situation is this...
Use a previously scammed credit card to set up a free to call in phone system, which you can get through several service companies to create surveys, etc. this would clear you of any connection with the number itself and stop any backtracking investigation....
Use a cash prepaid temporary cellphone to call in to retrieve said info, probably by having it email the data to an anonymous hotmail account or some such... use a zombie PC to download/access said account, store on USB drive.... voila.
Completely anonymous collection process, with the only backtrack leading to a victim's credit card account and a IP trail leading to a throw away Zombie PC located in another country altogether.
A fool throws a stone into a well and a thousand sages can not remove it.
Here in the UK there is a distubing new development. Certain ATM machine have been tampered with and now have a false front. When you put your card in the slot, your account details are captured and a camera records you inputting your pin number. At a later date, the false front is removed and the data is retrieved.
t m
Apparently, Russian gangs are responsible. . .
http://news.bbc.co.uk/1/hi/england/tees/3516236.s
This is all the result of spamming. At what point are the authorities going to take the spam problem seriously? This is what I want to know. The main way worms, counterfeit products, illegal drug sales viruses, adware, trojans, backdoors, phishing, and other things propagate is via UCE. Every system spam passes through has records on where it is coming from and where it is going. Even with the jurisdictional issues, there should be more action and prosecution from various authorities of spammers. Why there isn't is mind boggling. If we can shut down some of these spam gangs, most of this activity will stop.
The $64M question is why the Feds don't seem to be interested in stopping spammers? I refuse to believe they are that incompetent. Any decent network admin could track these spammers to a physical address within a few days.
So the change of the hook up point is web address->phone number.
Web address is easier to check right away without going there, but phone numbers are still checkable. I actually always google the owners by googling them.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
I don't know exactly how new this sort of approach is, but it's certainly more advanced. I, or rather my girlfriend, received an email from a supposed PayPal representative telling me someone had attempted to access my account, and to confirm my identity I just needed to go log in with my username and password, and was linked to a near-identical PayPal site with the standard login and whatnot. I'm not an idiot and I could immediately tell that it wasn't the right site, since the address was obviiously different and there were slight visual discrepencies in the page. However, the email itself contained all the standard warnings against phishing emails - "Don't email your username/password", "never give out your account info over the internet to anything but the actual site", etc., etc., and about half of the links were to the actual PayPal site, as opposed to the fake one. I can see how a slightly less careful and computer-savvy user could easily mistake this for a genuine email and not notice that the site they were logging into wasn't the real one. All in all it was a pretty slick grift, and it would work on most people.
The existing rule of thumb is that you never give sensitive info if you are not the one who originated the call, but still... if the Caller ID says, CITIBANK, then you would be tempted to trust.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
So, after the usual questions (Is this, essentially, phishing using voice? Should I answer at all?), I decided to call them back and find out who these people were. (I should mention that the voice message didn't name the mortgage company.) Of course, I get the computer first. It asks me to enter my account number. Yeah, right - there is absolutely no way I'm going to give my account number to these people.
Eventually I get a person. She also asks for my account number. I say, "No, you people called me. You asked me to call this phone number. Now prove to me that you are the people that I do business with." She asked for my phone number. I gave it to her - hey, they'd already called me once, so it wasn't like I was giving away some great secret - and then she knew my name. She then asked for the last four digits of my social security number - not the whole thing, just the last 4 digits. Since she was able to figure out who I was from my phone number that quickly, I felt safe going that far. I mean, she could have gotten it from a reverse phone directory, but it seemed much more likely that she just looked it up in their database. She then told me what the amount of my last payment should have been, including in it the late fee for the month before. At this point, I felt confident that I was talking to the right people. I was impressed. This whole thing was conducted about as close to a zero-knowledge proof as you can get when it's humans rather than computers talking.
So, the point is, you can call the number. But you have to get a human on the line, and you have to make them prove to you that they already know your account information.
So we have phoney phishing phreaks now?
First off, the penalties for such intentional and deliberate fraud attempts should be very, very severe. This is an organized and well-planned attempt to commit fraud and it should be treated as such. I'm all for fairness in sentencing, but when someone goes through this much trouble to attempt to steal from others, they should be dealt with very harshly.
Secondly, why does law enforcement have such a hard time stopping things like this? It would seem fairly trivial to me to follow the phone and money trail to whomever is commiting these crimes. I understand that much of it may involve international crime, but come on.
Is it that there just so much of it that they can't keep up? Or is it that they're so incompetent that, even given the tools they have at their disposal, they can't actually track down the criminals? Or is this just such a low priority crime that they're not paying attention to it? Or is that they're so bogged down in the beauracracy, especially if they have to use international resources, that they don't have time to react?
No matter what, it's a sad state of affairs that such crimes are so common.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
this is news ? come on there's nothing new or complex or cazry about what their doing.
I read a story a few months ago about a well organized shoplifting ring that was stealing stuff and then selling it in a store they had set up for the purpose. A fake retail store is probably a lower bar than a fake bank branch. (Sorry, I looked for a link and can't find it amidst the flood of "organized shoplifting" stories.)
There have been a few cases of fake ATM machines, though. That's probably more effective than a fake bank branch would be anyway.
If you mod me down, I shall become more powerful than you could possibly imagine.
When I dial my bank they ask for my "access ID" and PIN. The access ID is just a number assigned to me, different form my account number. My PIN though is my ATM PIN.
What they're doing is QUITE cazry.
.
.
.
.
Oh, and it's THEY'RE , not "their".
Well, considering that the phishers have acquired some expertise in identity theft I'd suspect that the elevated risk involved is for the poor sucker in whose name they opened a phone line. Instead of opening the mail one day to find his credit card balance higher than it should be, he'll wake up to the sound of the FBI kicking in his door. BAM!
Of course, they'll let him go as soon as they figure out he doesn't know anything about computers. But what if the bad guys happen at random chance to use *your* name? Establishing probable deniability likely takes a bit longer when you have the skills required to commit the high tech crime and your FBI-confiscated computer shows you've been discussing phishing in Slashdot threads. You might have to fall back to alibi. Doh!
If you mod me down, I shall become more powerful than you could possibly imagine.
Even better (worse):
Suppose the bad guys Google the names on their list (or determine from information on the PC from which their bot got the initial identity data) to select people who are likely to have computer skills? They have plenty of names to pick from. Being somewhat selective about the names they use to open phone lines and bank accounts would be downright obfuscational. Heck, the Evil Doers(TM) could pick people with publicly expressed dissatisfaction with government activities like domestic spying, torture, and secret prisons. Once they have their "short list" of mouthy computer guys with a trojan on their PC, they could even plant fake evidence before using their name to Do Evil Things(TM) before silently fixing the hole in their PC, and removing all traces that the trojan was ever there. Ooooh... that would be ugly.
["Evil Doers" and "Do Evil Things" are trademarks of The Bush Administration.]
If you mod me down, I shall become more powerful than you could possibly imagine.
It's a form of online fraud, and I specialize in its prevention. There are two simple things to do to prevent ID/personal info theft like this. Never click a link in an e-mail. I'd say you can hover over the link and you'll see it's masked, forwarded, just plain a different site, etc., but most of the population has no clue how to read those things anyway (though I'm sure most, if not all, of you here know how to). Go directly to the company's page if you have an account with them. If they need you to "verify" info or whatever, the legit site will tell you after you've signed in. Ignore it altogether if you don't have an account with the place supposedly sending it (right now it's very common to receive things from "Chase" asking to fill out a survery and get $20). The second is to call the regular customer service number you can get through 411. An agent via that number can connect you to whoever you need. If the e-mail says to call a certain number to get hold of a certain person, an agent can help you find that person, if he/she exists and is an employee of the company. No legit institution at which you have an account will address you as, "Dear customer," or some other impersonal greeting. Always by your name. It's at the point that I believe that, if someone has their ID stolen, they deserve it. We've all heard time and again not to click on links, and yet 3-7% of people still fall for these things. Yes, the number is that high. Scary, huh?
It's a girl!
Not necessarily -- with the advent of VoIP, we no longer need to run copper into a physical address to get a phone number. You can sign up to get a 1-800 DID (direct inward dialing) phone number over the internet, just as easily as you could sign up for a hosted server. Use a few (stolen) credit cards, and you're off to the races.
Now if they would get rid of that horrible on-hold music, we might have something to worry about...
...are treated as if they were merely "civil matters" by most local law enforcement. If a thief doesn't actually commit a "hard proof" crime against a home/building or a person, they really don't seem to want to deal with it. Just look how little they actually ever prosecute hot check writers.... with the notable exception of crooks who write hot checks to pay their court fees and fines, they go after those with a level of vengeance that parallels the intensity of which they like to pursue drug users. Phishing scams and bank fraud are really the realm of federal law enforcement in the US, and the federal authorities only seem to be interested in pursuing those crimes when they are of very large magnitude (e.g. big enough to make national news media headlines) and all the small phishing/fraud crimes get left simply by the wayside, with maybe the authorities taking down some facts in a report and filing it away along with bazillions of other similar reports that will never actually ever get fully investigated.
No hospital is going to hold up EMERGENCY treatment for paper work. Anything less than immediately life threatening, and they might.
As always, if you're really worried, look up a contact number from a reliable source, and then place the call your self. If the hospital operator is at all sharp, they probably won't tell you anything anyway, let alone want to grill you for all your personal info.
For any thing from your bank, look on the back of your ATM or credit card and use that phone number only. What really irks me is when the real security department for one of my cards, calls and leaves a message with a different 800 number. That irks me because it's such a classic phishing scam, and because it's usually that they've held up a Western Union transfer to a family member in dire need.
The same goes for the web. Get in the habit of never using those convenient URLs in e-mails. Use a bookmarked URL for that institution. Or look at some of their snail-mail for the correct URL, preferably in something like a statement that would be hard to forge.
Be careful out there.
Consumer Caller ID is easily faked
http://www.spoofcard.com/
Obviously in your case it was real, but it's entirely possible that scammers could dial you faking the caller ID of a real bank.
The user will see the increased security every time they change providers, change jobs, change coffeeshops (at a minimum) so it won't be out of the ordinary.
If BofA is paying attention to IP address they might try to watch a range that has many "new" customers suddenly. Might be a public hotspot, might be a fraud server.
Man, you really need that seminar!
I sent this email out to my co-workers and a large list of friends and family. I've sent similar warnings in the past, and people are generally appreciative, becuase they have NO CLUE things like this are going on (hence, the insanely profitable phishing business).
Feel free to use my email, contents below, and send to anyone/everyone you know who could use a heads-up.
[Disclaimer for the /. folks]
1. I know there is more that people can do to keep their computers secure, but I don't have time to write a whole book, and people won't read it, anyway.
2. I know not everyone runs Windows and MS office. Facts are, most people do, and most of them don't keep them updated. The 'nix crowd is probably more informed on this stuff anyway; this email isn't for them.
3. I know some people out there aren't capable of doing anything preceded by the word "Configure" on a computer. The best we can do is let them know that something *should* be done, and hope they call someone who can help them out.
4. If someone asks you about the logic of clicking a link in an email that advises them not to click links in emails, give them a gold star and a pat on the back, because they are paying attention and are more savvy than a large portion of the population.
[/disclaimer]
The people who are out to get your personal and financial information are getting more clever. They have come up with a new attack where they send you an email that instructs you to call "your bank" and enter your account number and PIN number. The catch is that the number they give you is fake, and they just collect your information through the phone. This attack was well thought out, and people are especially likely to fall for this, because they are used to entering this information when they call their banks or credit card companies.
From the article: "The spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it. The caller is connected to a voice response system that is made to sound exactly like the bank's own system. The phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN."
Since they're getting your information over the phone, there isn't much that computer or e-mail security can do to prevent this attack.
Some rules to remember:
1. Be VERY suspicious of any email that has communication regarding financial information or your bank.
2. NEVER click any links or open attachments in emails unless you are sure it came from a trusted source.
3. If you are going to call a number and give out sensitive information (such as account numbers, PIN, date of birth, etc.), verify that the number you are calling is correct, by checking an old bank statement or phone book, or even your bank/credit card company's website.
Also, you can help protect yourself from other types of phishing attacks by doing the following:
1. Make sure Windows is up to date by visiting http://windowsupdate.microsoft.com/ or configuring "Automatic Updates" in your Windows Contol Panel
2. Make sure you have Antivirus software installed and make sure you keep it current (most antivirus software can be configured for automatic updates pretty easily).
3. If you have Microsoft Office, make sure it is up to date by visiting http://office.microsoft.com/officeupdate
You can read more about this attack at the following link:
dragée (n): a sugarcoated nut
For some time now, Germany's Postbank uses digitally (S/MIME) signed E-Mails to communicate with its customers, also having information on its site how to validate the signatures.
...My credit card company left an automated message on my answering machine saying, "Please contact our fraud department at 1-800-xxx-xxxx".
I was stunned. What kind of security is that? Am I supposed to blindly assume every "Hey, you have a visa, right? Call me" message on my answering machine is refering to a legitimate phone number for your orginization?
Hopefully they'll stop doing that crap soon.
However, it would be easy for the system that calls you to use your banks 1800 and even include a message about how you can call the number on your card if you have any doubts.
I had a few calls from a similar scam (I suspect) about a year ago. In both cases, a person rings up claiming to be from company A (different companies each time, both of which I am a customer (how they found out is a whole other worry)), wanting to speak to X (ie. me), then asks you to identify yourself with a bunch of "unique id" type questions (eg. mothers maiden name... the sort of stuff that can be used to get passwords etc later on). Best course of action I could think of at the time was to politely tell them precisely why I wasn't going to answer their questions (on the off chance that they were from company A), then call company A to ask if they wanted to contact me. Surprise surprise, when I finally got through to a human, they didn't know anything about it. There has been no followup physical mail, and no problems with service since.
Does make you wonder how many people will fall for this before it becomes as widely known as similar email scams though...
The asshats at my CC company did something similar.
I travel every month or every couple of months at least and they apparently decided that I had "suspicious" activity on my credit card thus blocked it until I called their number.
Being away from home and on business I was PISSED! I called them up and yelled at full volume for a good 5 miuntes telling them to NEVER turn off my card again, and if they thought it was stolen they should call and verify it with me BEFORE killing my card. I then told them that if this ever happened again I would do a balence transfer and then cancel my card because I refuse to put up with a denial of service because of their overzealous algorithms which cause too many false-positives.
It's been almost a year and haven't had a problem from these clowns to date so I think it worked. On a positive note, my CC company all speaks very good English on the other end of the phone, so I can't complain about that!
Libertas in infinitum
Phishers build fake branch offices to invite bank customers to, fully staffed by fake staffers, who get the customers to fill out fake questionaires.
Like the fake police station from "Do Androids..."
http://www.aa419.org/fake-banks/fakebankslist.php
About 8 years ago I got this phone call that said they are a security team on behalf of the issuer of my credit card, and they are verifying the card. They told me the card number and wanted that I verify it by supplying the 3 digit security code. I told the lady there's no way she's getting this code and if the bank wants to ask me something they can contact me. She insisted that I must give her my code and I refused and told her she was lying. In that case the credit card was one issued by an Israeli bank. I was in Detroit and the call was inside the US. I did not give my number in Detroit to my Israeli bank. So it was certainly fraud.
This year I was contacted by cellphone in Israel by the VISA security department. They told me there were some unusual charges in my VISA card (issued in Isreal), and asked if I made them. They then asked if I want to block the card immediately and I agreed. They did it immediately, and the fraudsters still got to charge almost $10,000 (I got every penny back + interest. The charges were made to some gaming website registered in Hong-Kong and some Paypal accounts with chinese sounding names).
I also got an email from my bank this year that was caught by FastMail.FM's phishing detector (URL shown in link is not in the same domain as URL in HREF attribute). The email was really from the bank: it was sent to a SneakEmail.com address that only I, my bank and SneakEmail know about. I can tell what email is sent from my bank and what is not because I dedicated an email address for that purpose. That's what people should do when they provide an email address, and banks should encourage it. However, banks are content to just insure themselves against fraud and cover their costs by charging their customars, and ISPs do not want their users to know that they can provide countless amounts of email addresses per customer at no cost. Their strategy is based on getting the customer hooked by their precious email address they got from their ISP, and ISPs want them to believe that an email address is a scarce resource that's hard to replace.
Avoiding phishing is easy for those who prepare.
I'd just love to get a message: "Mr. Lorcha, Hi. This is Mr. Shitforbrains calling you from American Express. We have reason to beleive that your card was stolen. Please look at the card that is no longer in your possession and call the 800 number on the back of it for furthere instructions. Have a nice day!"
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent