Slashdot Mirror
Phishers Get Phoney
Nick Johnson writes to mention a new twist on phishing. From the article: "The spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it. The caller is connected to a voice response system that is made to sound exactly like the bank's own system. The phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN."
Makes me think that it is still the safest option to have customers do all their banking right at a teller.
where's all that Karma?
..do they know what bank i use? I've had emails from banks all over the world regarding my "account". The only email i havent got yet is from the bank i actually use!
To dare, is to do.
It seems that phishing is evolving but they are getting forced to use more risky (for the phisher) methods. A phone number feels more physical than a web presence so it should be easier to track besides this has to be breaking some "dont screw around with the phone" federal law.
The best test environment is production. - Me
chrome://browser/content/browser.xul
So, what if you enter a random number with random PIN. They have to go thru the trouble to make the card, only to find out it doesn't work. And their face pop up at the video camera's of the ATMs all the time with failed withdrawals.
Bert
My mum was called by a recorded message from my bank, asking for my date of birth, she assumed it was a fake (horrah!) and put in a wrong birth date. It turned out to be genuine, they were checking that my mistaken PIN attempts were me and not somebody else :)
What's the next step. Setting up a phony bank branch and asking you to come into it? Maybe I should just start using only cash.
Yeah. I bet you that shiny $3 bill in my wallet that cash is a lot safer than banking...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
No one will ever ask you for your account number or pin. This is not so much a new twist as good old basic social engineering. It stands to reason NEVER to trust any unsolicited form of communication unless you check it out and NOT by calling the number the phisher provides.
one would think these guys would just seek gainful employment.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
Why should an insitution (not just banks) ask me for details they are supposed to already know?
No security technology or technique is strong enough to defy stupidity!
And phishing exploits stupidity!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
I wonder if these guys were stupid enough to use a "1-8XX" number. Oh the fun that could be had making them pay...
In the area where I live there has been a more serious "phone phish" going on. You receive a call from someone and claiming to be a police officer. They say that they're very sorry to have to inform you that your mother/father/son/daughter/sister/bother has been involved in a serious crash and is being flown by emergency helicopter to regional hospital X. So that the hospital is able to treat them the moment it touches down, the officer is trying to complete necessary admittance and insurance paperwork in advance, and what they need from you is your insurance policy number *and* the full name, address, phone, credit card number, and social security number of someone who can be billed in the event that the insurance policy is unwilling to cover the necessary treatment.
From what I understand, these scammers have been doing pretty well, unfortunately, and as far as I know there are few leads. The public hasn't been told why... maybe they're using convenience store phones and/or pay phones.
STOP . AMERICA . NOW
The answer is to take all your money, convert it into gold coins, then bury it in a chest on an uninhabited island. Don't forget to kill the pirates who helped you bury it before leaving. Celebrate with a bottle of rum.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
You know the woman who says "For English, press 1" isn't actually sitting there, right?
Haida Manga
This is all the result of spamming. At what point are the authorities going to take the spam problem seriously? This is what I want to know. The main way worms, counterfeit products, illegal drug sales viruses, adware, trojans, backdoors, phishing, and other things propagate is via UCE. Every system spam passes through has records on where it is coming from and where it is going. Even with the jurisdictional issues, there should be more action and prosecution from various authorities of spammers. Why there isn't is mind boggling. If we can shut down some of these spam gangs, most of this activity will stop.
The $64M question is why the Feds don't seem to be interested in stopping spammers? I refuse to believe they are that incompetent. Any decent network admin could track these spammers to a physical address within a few days.
I mean, arn't they fooling enough people in the status quo? Now, they have to pay people to act like they work for a bank, and have them on call 24/7.
The same stupid people are going to believe this (why would your bank email you asking you to call them?), so now the phishers will be losing money by paying actors, and not really getting enough extra to cover the cost.
I think the "Tragedy of the Commons" has struck the spam and phishing world. First, a few spams and you had a high return rate. Now that everyone's inbox is flooded, no one reads them anymore. So people turned to phishing, which made a lot of money. However, people realized that you know, the bank isn't going to send them alerts to *every* email account they have anymore (I get the same phish email in my home account (several copies), and my Gmail account), or as I mentioned in my anecdote, *several* copies. For the past week, Chase Online had a problem *EVERY SINGLE DAY*. The first time, maybe. The Nth time, well, it's obviously a scam.
Either that, or if one were to answer every phish, there would've been nothing left in the account beyond the first couple of phishers.
So now that everyone's into the phishing racket, all the low-hanging fruit is gone, since people get suspicious when the bank sends multiple emails on the same problem, or over the course of a week, or different problems with the same bank. It worked wonders when phishes were rare. Now that they happen daily, well.
Interesting how the Tragedy of the Commons can affect scams as well (which probably included a number of ways spam has evolved over the years).
But hey, calling a 1-800 number can be quite fun, since they're paying for the call. May be fun to do an automated calling thing that calls, presses random numbers, speaks sloooooooowwwwwwlllllly...
You visit a website. It visits your banks website. You type in your account number. It types in your account number. Etc.
Same for the phone. It could simply conference you to your bank and listen in to everything you do. You're dealing with your own bank, so you wouldn't suspect anything. They'd have all your info.
Man, you really need that seminar!
No *wonder* she hasn't answered my letters.
No matter, I thought she was a little too aloof anyhow.
- First they ignore you, then they laugh at you, then ???, then profit.
So we have phoney phishing phreaks now?
First off, the penalties for such intentional and deliberate fraud attempts should be very, very severe. This is an organized and well-planned attempt to commit fraud and it should be treated as such. I'm all for fairness in sentencing, but when someone goes through this much trouble to attempt to steal from others, they should be dealt with very harshly.
Secondly, why does law enforcement have such a hard time stopping things like this? It would seem fairly trivial to me to follow the phone and money trail to whomever is commiting these crimes. I understand that much of it may involve international crime, but come on.
Is it that there just so much of it that they can't keep up? Or is it that they're so incompetent that, even given the tools they have at their disposal, they can't actually track down the criminals? Or is this just such a low priority crime that they're not paying attention to it? Or is that they're so bogged down in the beauracracy, especially if they have to use international resources, that they don't have time to react?
No matter what, it's a sad state of affairs that such crimes are so common.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
Banks already do this - it is called secure messaging, and it is web based. You get an e-mail telling you that you have a message, the e-mail has no links or phone numbers (since you know your bank's web site), and you log into a secure web site to send and receive messages.
It's a form of online fraud, and I specialize in its prevention. There are two simple things to do to prevent ID/personal info theft like this. Never click a link in an e-mail. I'd say you can hover over the link and you'll see it's masked, forwarded, just plain a different site, etc., but most of the population has no clue how to read those things anyway (though I'm sure most, if not all, of you here know how to). Go directly to the company's page if you have an account with them. If they need you to "verify" info or whatever, the legit site will tell you after you've signed in. Ignore it altogether if you don't have an account with the place supposedly sending it (right now it's very common to receive things from "Chase" asking to fill out a survery and get $20). The second is to call the regular customer service number you can get through 411. An agent via that number can connect you to whoever you need. If the e-mail says to call a certain number to get hold of a certain person, an agent can help you find that person, if he/she exists and is an employee of the company. No legit institution at which you have an account will address you as, "Dear customer," or some other impersonal greeting. Always by your name. It's at the point that I believe that, if someone has their ID stolen, they deserve it. We've all heard time and again not to click on links, and yet 3-7% of people still fall for these things. Yes, the number is that high. Scary, huh?
It's a girl!