Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: phishing

    Latest Warnings33 Comments
    20
    Jun 10

    A Spike in Phone Phishing Attacks?

    A couple of readers have written in to say they recently received automated telephone calls warning them about fraud on their credit card accounts and directing them to call a phone number to “verify” their credit card numbers. These voice phishing attacks, sometimes called “vishing,” are a good reminder that today’s scam artists often abuse a range of modern technologies to perpetrate old-fashioned fraud.

    Graphic courtesy Internet Identity

    Phone phishing schemes often begin with a pre-recorded message that prompts the recipient to call a supplied telephone number — frequently a toll-free line. Usually, the calls will be answered by bogus interactive voice response system designed to coax account credentials and other personal information from the caller.

    Lures for these telephone phishing attacks also are sent via text message, a variant also known as smishing. Indeed, the Sacramento Bee warned last week that residents in the area were receiving text messages spoofing the Yolo Federal Credit Union.

    A new report (PDF) from anti-phishing vendor Internet Identity found that credit unions continue to be a favorite target of smishing attacks, and that text-to-phone scams used a toll-free number in about half of the lures sent in the first quarter of 2010.

    Internet Identity also tracked at least 118 smishing attacks in the first quarter of 2010, although the company said that number represents a 40 percent drop in these scams over the last three months of 2009.

    It may be hard to imagine how many people actually fall for these scams, but you might be surprised. In March 2008, I wrote about an extremely complex vishing attack that targeted customers of multiple credit unions. A source I interviewed for that story later managed to make a copy of one of the servers that these crooks used to accept incoming calls for this scam, which ran uninterrupted from Jan. 13, 2008 to Feb. 21. From that story: “During that time, the phishers sent millions of text messages, and records from that server show that roughly 4,400 people called the fake bank phone number as directed. Out of those, 125 people entered their full credit/debit card number, expiration and PIN.”

    Have you or someone you know recently received one of these scam phone calls or texts? Sound off in the comments below.

    A Little Sunshine / Web Fraud 2.013 Comments
    17
    May 10

    Teach a Man to Phish…

    Phishing may not be the most sophisticated form of cyber crime, but it can be a lucrative trade for those who decide to make it their day jobs. Indeed, data secretly collected from an international phishing operation over  18 months suggests that criminals who pursue a career in phishing can reap millions of dollars a year, even if they only manage to snag just a few victims per scam.

    Phishers often set up their fraudulent sites using ready-made “phish kits” — collections of HTML, text and images that mimic the content found at major banks and e-commerce sites. Typically, phishers stitch the kits into the fabric of hacked, legitimate sites, which they then outfit with a “backdoor” that allows them to get back into the site at any time.

    About a year and a half ago, investigators at Charleston, S.C. based PhishLabs found that one particular backdoor that showed up time and again in phishing attacks referenced an image at a domain name that was about to expire. When that domain finally came up for grabs, PhishLabs registered it, hoping that they could use it to keep tabs on new phishing sites being set up with the same kit.

    The trick worked: PhishLabs collected data on visits to the site for roughly 15 months, and tracked some 1,767 Web sites that were hacked and seeded with the phishing kit that tried to pull content from the domain that PhishLabs had scooped up.

    PhishLabs  determined that most of the phishing sites were likely set up by a single person — a man in Lagos, Nigeria that PhishLabs estimates was responsible for about 1,100 of the phishing sites the company tracked over the 15 month experiment.

    Continue reading →

    Target: Small Businesses54 Comments
    8
    Feb 10

    Comerica Phish Foiled 2-Factor Protection

    A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.

    Experi-Metal sells metal stampings, trim moldings and specialty items.

    The lawsuit, filed by Experi-Metal Inc. (EMI), in Sterling Heights, Mich., charges that Dallas-based Comerica Bank effectively groomed its customers to become phishing victims by routinely sending them e-mail messages that asked recipients to click a link to update the bank’s security technology. The company also alleges that Comerica’s security protections for customers are not commercially reasonable, because the phishing scam routed around the bank’s 2-factor authentication system.

    According to a complaint EMI filed in December with a Michigan circuit court, for many years Comerica used “digital certificates” for authenticating online banking customers. Digital certificates are the browser-based counterparts to ATM cards, and many banks require customers to include the bank’s cryptographically signed digital certificate in their browser before the bank’s online system will allow users access.

    Once a year from 2000 to 2008, Comerica sent emails to EMI and other customers directing them to click on a link in the email, and then log in at the resulting Web site in order to renew the digital certificate that Comerica required.

    Continue reading →