Anti-Phishing Blog




BOL blogs have now moved to Facebook.





BankersOnline currently features four different Web logs (“blogs”). In them, BOL team members can quickly share news, thoughts, rants, anecdotes, and stories in a quick and less formal way than through traditional articles. We put these thoughts in topical categories.

Friday, August 27, 2010

YouTube Linked to Malware

According to V3.CO.UK, the security firm Zscaler has found 3 million YouTube pages that are actually covered by an invisible Flash object/layer that takes the user directly to a fake antivirus page. These are the kinds of pages that end up installing malware and the user then has to pay to get rid of a program that holds their PC hostage, or they pay for a useless program and surrender a credit card number to boot.

Google Safe browsing is proving ineffective against these sites, allowing 90 percent to work. The safest thing is to turn off Flash. That may stop some valid sites the person visits from displaying properly. Staying away from these in the first place is advisable. These sites all come up when searchong "Hot Video."

Tuesday June 29, 2010

A Better Mousetrap

In the beginning we had a logon name, then a password to go with it, and multi-factor authentication took off. There are ways to verify the IP address of the user, use of a special token that has numbers changing every few minutes, cards with daily access codes, pictures, security questions and more. But it seems that whatever you can come up with, thieves can defeat.

Gartner Inc. has released a new research report, ""Where Strong Authentication Fails and What You Can Do About It" and it is in line with my May 27 entry below. Only instead of hitting the banking customers telephones with a denial of service attack, the thieves use call forwarding. If you use out of band authentication and actually call your customer to verify a transfer, do you first verify, in a secure manner, who it is you are speaking with? If not, you may consider it.

Some thieves have the technology to watch for a telephone call that is synchronized to a Web session and that call can be forwarded to the thief. Certainly they'll approve the transfer. This is one level above the system that intercepts email or text verifications. If your customer transfers money from their account, the thief has it diverted to their account. But the confirmation message the customer receives reads according to the transfer they actually initiated, not the one that is really about to happen. Substitution is an asset to a thief. Bankers will have an ever growing challenge to try and stay ahead.

Thursday May 27, 2010

Telephone Denial of Service Attacks

As a banker, when you see a suspicious electronic withdrawal, one security measure may include calling your customer to verify the withdrawal is legitimate. This may be standard with large deposit and business customers as the transfers can be large amounts. What happens if you can't reach that customer?

A semi-retired dentist in Florida recently began getting repetitive calls on several of his phone lines. His son, with a similar name was also receiving calls. In this case the caller delivered a prerecorded message for a sex hotline. The calls were received over and over on his cell, home and office lines every 30 seconds. What the doctor didn't know was that over a period of about a month, when this distributed denial of telephone service was happening $400,000 was being debited from his retirement accounts. The calls prevented Ameritrade from contacting him, and was an effective distraction to the doctor as well.

Investigations revealed 16 such cases as the FBI worked with AT&T on the telephone side. Sometimes the call was dead air, so the same affect was seen. It also revealed that this often starts with a phishing attack. A thief will sometimes call the bank before the theft and change the contact information. Banks need to be aware of these schemes and consider verifications to old and new numbers.

The doctor in this case was made whole by Ameritrade.

Friday, January 22, 2010

P&E Customers Need Help Too

Your professional and executive customer won't fall for an internet scam, right? Not necessarily. Here is a new twist on an old scam that the FBI is warning the public about. Here are two versions of a scam with the older version described first.

The scammer sends an email to a law firm, stating that they are overseas, but need representation. They have a debt owed them from a person in the U.S. The firm sends a retainer agreement and invoice to the scammer who responds and includes a check for payment. The check is for more than is owed and the excess is requested to be sent to a bank account in Korea, China, Ireland, or Canada. Naturally the check is bad but that isn't confirmed until after the excess funds are wired overseas.

In the new version, an ex-wife is on assignment is some Asian country and wants the law firm to collect funds due her in the divorce. The ex-husband is in the U.S. and the firm agrees to represent her. They contact the ex-husband who sends a certified check for the settlement. The firm cashes the check, retaining their portion and wiring the rest overseas to their client. That check is returned after the funds are wired.

The moral of the story is that when you have tellers and other staff trained to listen for keywords, to look for unusual transactions and warn customers in an effort to protect them from losses, don't draw the line at the consumer. Stay on guard to assist your professional and executive customers as well.


Sunday, January 10, 2010

Scam Hits Bank of Chickamauga

In Georgia, the day after Christmas, many residents had a telephone call with a recorded voice telling them their ATM card had been restricted. They were given a telephone number to call and that is when the scammer completed his phishing expedition. He gathered confidential card and account data and was able to steal from these accounts. Many balances were completely zeroed out and more than one hundred accounts may have been affected. The calls all seemed to be made to a 375 prefix. Authorities suspect the scam originated overseas.

The article I reviewed noted that these transactions are not FDIC insured, and that "The Vice President of the Bank says each case will be dealt with individually. But in all likelihood, customers lost whatever was in their account. Chickamauga police and the F-B-I are also aware of this scam." Based on common thefts such as this, Regulation E should protect the consumers. I hope the bank realizes and reviews this. Commercial customers may suffer losses, depending on the banks policies and agreements as Regulation E addresses "consumers."


Sunday, November 01, 2009

Spam Often Offers Money Mule Positions

On October 29, 2009 the FDIC warned banks that the fraudulent work at home scams appear to be increasing. Spam is often the foot in the door for the cybercriminal. The bank's customers receive funds but really don't know its true source. They then end up transferring these funds electronically to overseas contacts. This job has become known as being a "money mule." Banks need to be aware of their customers transactions, watching for these warning signs in an effort to thwart criminal activity and avoid losses.

The FDIC cites these common scenarios:
  • Online job posting Web sites are used by criminals to locate individuals seeking employment with flexible work hours that can be performed from home. These work-at-home schemes often involve written employment contracts, job descriptions and procedures to legitimize the scam.
  • Advance fee scams promising large monetary rewards for acting as a financial intermediary can entice individuals to participate in this activity.
  • Mystery shopping jobs may be used that require the employee to assess the performance of money service businesses by completing EFTs and then evaluating the service using customer satisfaction forms.
  • Social networking sites may be used to recruit individuals to act as money mules. Criminals conjure up various imaginative stories to befriend and persuade individuals to receive and forward stolen funds.
  • Some hesitant or skeptical money mules have been intimidated, harassed and threatened by their criminal "employers" to process the funds transfers quickly and with secrecy.
  • The personal identifiable information provided by the money mule might later be used to commit identity theft or account takeover.


They also cite these examples of events that may indicate money mule account activity:

  • A deposit account opened with a minimal deposit soon followed by large EFT deposits.
  • Deposit customers who suddenly begin receiving and sending EFTs related to new employment, investments, business opportunities or acquaintances (especially opportunities found on the Internet).
  • A newly opened deposit account with an unusual amount of activity, such as account inquiries, or a large dollar amount or high number of incoming EFTs.
  • An account that receives incoming EFTs then shortly afterward originates outgoing wire transfers or cash withdrawals approximately eight to ten percent less than the incoming EFTs.
  • A foreign exchange student with a J-1 Visa and fraudulent passport opening a student account with a high volume of incoming/outgoing EFT activity.


Tuesday, September 15, 2009

A Closer Look as One Spam Message



(You can click on an image to see a larger view.)

Let's take a few moments to examine spam. You can see by the image above that Bank of America sent a warning that my account had several logon attempts. This specific message was sent to "undisclosed-recipients" and starts with "Dear member." I knew immediately it was spam as I don't bank there, but why wouldn't they address it to me if it were on my account? My bank knows who I am. That was a pretty good give-away. But lets look to at the source of the message.




When this is put in the Junk Email folder in Outlook, you can see the Bank of America image was linked to a valid image, but the security symbol was linked from USAA, a competitor of Bank of America. The message is short and sweet, and the link it refers the receiver to isn't going to a bank domain at all, http://racheljohns.com/Bankofamerica.com/Online/index.html. Rachel Johns likely was a victim and part of her site was hijacked by the spammer. The link is a forgery, although racheljohns.com is accessible.

If your customer gets a message like this, they should know how and where to contact you. Your bank should have a process that not only reacts to a threat like this to stop it, but reassures your customer of your safety and that of their accounts with you.


Friday, August 28, 2009

You've Won the Lottery

Well we all know that "You've Won" emails go straight to the spam folder. But in Sydney, Australia that attitude could have cost one lucky lady $40 million. She failed to log her telephone number on her entry. She'd heard on the radio that a winner was in western Sydney. She told her husband they weren't in western Sydney and he told her they were. She also told her husband they couldn't be lucky enough to win $40 million and he asked why not? Finally she looked and saw that her numbers did win. She checked her spam folder, and there was her notice from the real lottery authorities who had been trying to contact her.

It just goes to show you, that these notices are not all spam. And hey, looky there, I just won three lotteries. Funny, I don't remember entering any of these, especially the ones in the UK.

I still believe my chances of putting a real winning notice in my spam box is higher than my chances of winning in the first place.


Tuesday, June 09, 2009

Work at Home, Make Big Money

You may have heard of the customer working from home doing payroll or some other tasks for extra money. They use an account with your bank as a part of their job. Certainly it could be a scam related money laundering.

Some work at home offers are just scams. In this example, unwilling participants who thought they were processing payroll for an international company were actually money mules. Funds went into an account, and back out. The money was actually being laundered. It was stolen.

Alexey Mineev, of Hampton, New Hampshire recently plead guilty to money laundering charges. He set up drop accounts that were used to receive and send monies that were stolen from brokerage accounts. Mineev could be sentenced to two years in prison, and a $40,000 fine. His plea agreement has him returning the $112,000 he made for his part in the scheme between July and December 2007.

Mineev, and his co-conspirators, Alexander Bobnev and Aleksey Volynskiy worked as a team. They would entice users to watch an online video that required a special codec to be installed, a screensaver or a security patch - which would actually be the delivery mechanism for a Trojan.

They could then monitor the users activities looking for passwords and other logon information for brokerage or bank accounts. Screenshots could be reviewed that also showed the balance in the user's account. Bobnev would review the accounts and Mineev and Volynskiy would move the funds through drop accounts. Once the funds left the U.S. they would be virtually impossible to recover. Western Union was often used to move the money out of the country.

Your customers need a constant reminder to keep their cyber-safeguards up. They need to protect themselves from Trojans. And still other customers need to be vigilant about who they work for and what jobs they may be doing. They could be money mules and not know it. We have read on the BOL threads where both of these customers could be at the same bank. The bank is certainly a loser in this situation.


Monday, April 27, 2009

Possible Pandemic brings out Phishers

A pandemic triggered by the swine flu is causing panic for some. Others see this as an economic boost as they try to sell fake pharmaceuticals. There are a number of these phishing and spam emails being sent. Two of the more popular have a subject line of "First US swine flu victims!" and "Madonna caught swine flu!" according to Dave Marcus, director of security research at McAfee Inc.

Marcus said that about two percent of the spam today is on the flu. Some of these are out to sell phony or adulterated medications and some sites simply want to get the credit card number of anyone who falls for the pitch.

These are probably the same people who quickly register names of storms in hopes of taking advantage of the goodwill many people have when trying to help others. So it is no surprise to see this activity. But employees and customers alike need to realize that their own doctor and health system is where they need to go for information and assistance. Buying drugs based on an email is not the wisest choice someone could make. Not only may you not be protected after taking any medications bought from an unreliable source, but it just might make them sick.