Verify your Bank of America Online Banking

As Andy noted in a previous entry in the BOL Security Blog, Bank of America has been very proactive in implementing measures to help protect its customers from phishing and pharming. In particular, B of A uses a Site Key Graphic to confirm to users they're where they want to be. Still, that doesn't stop the phishers from trying as you can see in this phishing email below. What is hilarious is that within a 12 day period, I received the IDENTICAL message, but it purported to be from a different bank.

On another note, because PayPal customers have been targeted by so many phishing scams, when PayPal sends out real emails to notify customers that the credit card they have on file for their account is about to expire and needs to be updated, they do not include a single link. Instead, they direct the recipient to go directly to the PayPal site, log on as normal, then go update their information. The only bad thing is that with so many fake emails, it's a challenge to get customers to read the real thing . . .


Bank Of America Alert Message

We recently reviewed your account, and we suspect an unauthorized ATM - based transactions on your account. Therefore, as a preventive measure we have temporary limited your access to sensitive Bank Of America features.To ensure that your account is not compromised please login to Bank Of America Internet Banking by clicking this link, sign in, verify your account information and your online account will be reactivated by our system.
- Click on: [URL deleted.]

- Enter your personal information.- Verify your identity with Bank Of America

If at any time you require assistance, please contact our Online Account Services customer hotline at 1-800-788-7000 24 hours a day, 7 days a week.Thank you for using Bank Of America Online Account Services.

Important Information from Bank Of America(R)This e-mail contains information directly related to your account with us, otherservices to which you have subscribed, and/or any application you may have submitted. Bank Of America and its service providers are committed to protecting your privacy and ask you not to send sensitive account information through e-mail. You can view our privacy policy and contact information at [URL deleted] . If you are not a Bank Of America customer and believe you received this message in error, please notify us by responding to this e-mail.

© 2005 Bank Of America , N.A. All rights reserved.

Bank of the West Online Banking

This one attempts to add legitimacy by assigning a "Case ID Number." It sounds so plausible and so helpful. If we had an account at the bank, we might have thought this was real. I love it that the scammers also included the "Member FDIC" and "Equal Housing Lender" statements.

Dear Online Customer, As part of our security measures,we regularly screen activity in the Banking system.We recently noticed the following issue on your Online Banking account:A recent review of your Online account determined that we need some additional information from you in order to provide you with online secure service. Case ID Number: FW-222-367-412. For your protection, we have limited access to your Online account until additional security measures can be completed.
We encourage you to log in to your account as soon as possible to help avoid this. Once you log in, you will be provided with steps to restore your account access to regular standing. We appreciate your understanding as we work to guarantee account safety.In accordance with Bank of the West's Agreement, your account access will remain limited until the issue has been resolved. If access to your account remains limited for an extended period of time, it may result in further limitations or account closure.
Login to Online Account
Please understand that this is a safety measure meant to help protect you and your account. Thank you for your attention to this problem. We apologize for any inconvenience.
Sincerely,
Bank of the West, Member FDIC, Online Banking Customer Service



Copyright © 2005 Bank of the West. Member FDIC. Equal Housing Lender

Test Your Phishing Skills

You've read about phishing expeditions over and over and you just wish a game warden would haul these folks off. Not gonna happen.

You personally are smart enough not to give the PayPal, E-bay and various bank emails any nibbles on your PC. You know that some of your customers may fall for these phishing messages. And you know that you need to educate them to protect the funds that you may have to repay. Have you also educated your employees?

Employees are customers too, and they access to very confidential data, and lots of it. Realize that sometimes everyone needs some hand holding. Gone are the days when you would see a phishing email and you knew it just by the poor grammar. These today are sophisticated and crafty. I read about one recently that told the receiver NOT to send confidential information over email. Instead there was a form for them to print, complete and fax back. Now that was much safer; except that it wasn't from their institution and the fax number went to the bad guys.

You monitor and audit to ensure your policies and procedures are being followed. Have you thought about testing the effectiveness of your anti-phishing training? Two such organizations that have are the State of New York and West Point, the Army military academy. The good guys pretended to be bad guys, pretending to be good guys. And as you guessed it, many fell for the phake phishing messages.

While you don't want to destroy any trust you have with your employees, you may decide to dip your toe in the water with a limited sample of messages sent and see if there are any bites. If you see signs of piranhas, you might increase your scope and see who responds with bank sign-on info, personal info, or who clicks on links that could have had a malicious payload. This is one way you can ensure you are doing the right things with the right personnel. You'll also know if you are adequately protecting your system integrity and the confidential information it stores.

I would do this with employees. You may or may not want to. I wouldn't do this with customers, but would instead use any lessons learned to reinforce customer education efforts.

If you choose not to audit, what else can you do to protect your systems? These attacks are not going away. And just because there isn't a masked man in front of a teller, it doesn't mean someone isn't trying to rob you.

Big Phish Casts Wide Net for VISA Customers

It looks real. It doesn't have the amateurish quality of most phisher emails and it is sure to lure unwitting customers into divulging credit card information that will quickly find its way into the hands of thieves. Apparently, this phish is operating from a Road Runner domain that has yet to be shut down. The root site says MINORCAN.COM and has a FlickerTronics logo on it but the IP (24.26.32.137) is registered as a Road Runner block of address. Here's the phish that is finding its way into customers inboxes:

SUBJECT LINE: Protect your Visa card online with a personal password (that's a good one!)


Verified by Visa protects your existing Visa card with a password you create, giving you assurance that only you can use your Visa card online.

Simply activate your card and create your personal password. You'll get the added confidence that your Visa card is safe when you shop at participating online stores.

How it works–activating your card :
You may activate Verified by Visa for your Visa card in two ways: Activate now or activate during shopping.


Activate your card now

You may activate now by entering your card number over our secure server. If your card issuer is participating in Verified by Visa (most issuers are) you'll complete a brief activation process. You'll verify your identity, create your Verified by Visa password and you're done.

To activate now your visa card please click on https://usa.visa.com/personal/security/vbv/index.html (LINK REMOVED -- underlying link goes to a different address. The link in this post goes to the actual VISA site but the link contained in the phish email goes to a BOGUS site which is what makes this so dangerous. )

Participating Card Issuers
With more than 8,400 card issuers now offering Verified by Visa to their cardholders, it's easier than ever to activate your Visa card.

To find out whether your card issuer is participating, click (link removed) Activate Now, enter your card number, and submit the information over our (link removed) secure server.

How do I know activation is secure and safe?

Personal and payment card information is transmitted using a high level of encryption (SSL), and is stored on a secure server behind a firewall to protect against unauthorized access. To learn more about online security, view our (link removed) Email, Phishing & Security Tips.

What are the Verified by Visa password requirements (number of characters, numbers, upper case, etc.)?

Password requirements are determined by each Visa card issuer/member bank. Contact your Visa card issuer to learn more about their password requirements.
Can I activate more than one card?

Yes, you may activate all of your Visa cards, as long they were issued by participating financial institutions and Verified by Visa is available.

I received notice from my Visa card issuer that my card has been activated in Verified by Visa. What does this mean?

Some Visa card issuers provide additional security by initiating activation for cardholders. Just follow the instructions provided by your card issuer and start shopping with added safety and confidence.

© Copyright 2005, Visa U.S.A. All Rights Reserved.

========The Actual email contains the VISA logo and Verified by VISA logo so it looks very official====

Anatomy of a Cashier Check Scam - Phishing for dollars

8/14/04 Cashier Check Scam -- to an unsuspecting victim the email below sounds like a legitimate car buyer -- but seller beware -- just because the buyer suggests an official cashier check doesn't mean the money is good. It's actually a scam and you could be out $3,805 if you fall for it.

================ Text of Actual Scam Email ===================

Dear ,

My client has indicated her interest in buying your car and has agreed to settle for your asking price of $7,695 .She has asked me to inform you that payment will get to you in a cashier check of $11,500 which is a refund payment of a canceled order earlier made by her.Due to company policy which only allows a refund payment on one cashiercheck,this check has to be made to you in this whole amount.So you are required to deduct the cost of your car($7,695) when payment gets to you and refund balance of $3,805 to my customer for her to offsetshipping and tax charges.After payment has reached you and balance sent to her,our agent will come for the pick-up and drive to a prepaid shipper to be shipped to my customer while title papers another necessary documents will be sent by you via courier services to my client.Please provide Name,Address and Phone Number for check payment to bedelivered to you immediately.Regards


My client has indicated her interest in buying your car and has agreed to settle for your asking price of $7,695 .She has asked me to inform you that payment will get to you in a cashier check of $11,500 which is a refund payment of a canceled order earlier made by her.

Due to company policy which only allows a refund payment on one cashiercheck,this check has to be made to you in this whole amount.So you are required to deduct the cost of your car($7,695) when payment gets to you and refund balance of $3,805 to my customer for her to offsetshipping and tax charges.

After payment has reached you and balance sent to her,our agent will come for the pick-up and drive to a prepaid shipper to be shipped to my customer while title papers another necessary documents will be sent by you via courier services to my client.

Please provide Name,Address and Phone Number for check payment to bedelivered to you immediately.

Regards

==================================================================

EARTHLINK billing warning

8/12/05

Don't think that the only time your institution could incur losses is when the phishing scam purports to be from you. Anytime the customer is tricked by any phishing scam into believing they should disclose sensitive banking information, you could be affected.

This one purports to be from my Internet service provider and I'm having to type it because copying and pasting it -- even into Word as unformatted text -- did the most bizarre things with it. Oh man. I just looked at the HTML code for the email. In a deliberate attempt to make it harder to copy and paste, they put groups of four letters into table data cells. I know that doesn't mean much to those of you who aren't HTML wonks, but this is pretty amazing. See screenshot below:




Here's what the message actually said:

Dear Earthline Customer,

During one of our regulator automatical verification procedures we've encountered
a technical problem, caused by the fact that we could not verify the information
that you provided during registration.

We urgently ask you to submit your information so that we could fully verify
your identity, otherwise an access to Earthlink services for your account will
be deactivated until you pass the verification process

Please use our secure online application to submit your information - apply here. [URL omitted]

Thank you for using our services,
Earthlink Payment Processing Department

Bank of the West - WARNING: Please update

8/12/05
(received August 5)

This one had the subject line:

WARNING: Please update your Bank of the West eTimeBanker

Yeah, pal. We don't have an account there either.

Dear Bank Of The West Customer,

This is your official notification from Bank Of The West that the service(s) listed below will be deactivated and deleted if not renewed immediately. Previous notifications have been sent to the Billing Contact assigned to this account. As the Primary Contact, you must renew the service(s) listed below or it will be deactivated and deleted. [URL removed]

SERVICE : Bank Of The West eTimeBanker with Bill Pay. EXPIRATION: August 10, 2005

Thank you,

Bank Of The West Management Center Customer Support

LaSalle NOTICE

8/12/05

This one is designed to make the recipient believe someone may have attempted to hijack their account. Since the email went to a BOL staffer who doesn't have an account at LaSalle, it was pretty easy to spot it as phish.

Dear LaSalle Bank customer,

We recently noticed one or more attempts to log in your LaSalle Bank online banking account from a foreign IP address and we have reasons to believe that your account was hijacked by a third party without your authorization.

If you recently accessed your account while traveling, the unusual log in attempts may have initiated by you.However if you are the rightful holder of the account, click on the link below and submit, as we try to verify your account. (In case your are not enrolled use your Social Security Number as User ID and first 6 digits of Social Security Number as password): [URL removed]

The log in attempt was made from:

IP address: 159.255.11.185ISP host: 159.255.11.1.prov.T1fast.netIf you choose to ignore our request, you leave us no choice but to temporally suspend your account.

We ask that you allow at least 48hrs for the case to be investigated and we strongly recommend not making any changes to your account in that time.

If you received this notice and you are not the authorized account holder, please be aware that is in violation of LaSalle Bank policy to represent oneself as another LaSalle Bank account owner.Such action may also be in violation of local, national, and/or international law. LaSalle Bank is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the Internet to commit fraud or theft.

Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the fullest extent of the law.

* Please do not respond to this email as your reply will not be received.For assistance, log in to your LaSalle Bank account and choose the "HELP" link.

Thanks for your patience as we work together to protect your account.

Regards,
2005 LaSalle Investment Management, Inc. A member of the Jones Lang LaSalle group. All rights reserved.

PayPal Credit/Debit Update

8/11/05

Gotta love this one. Especially the part that says "We demand that you take 5 minutes out of your online experience . . ."

The first time I got this phishing scam variant, since I really had recently moved, I almost thought it was real. It looks professional, it sounds plausible. Well, at least until you get to the "demand" part.


Security Notice

Dear valued PayPal® member:

During our regularly scheduled account maintenance and verification procedures, we were unable to verify your account information. This might be due to either one of the following reasons:1. A recent change in your personal information (ie change of address).2. Submitting invalid information during the initial enrollment process.3. An inability to accurately verify your account information due to an internal error within our processors.

Click here to restore your account [URL removed]

We demand that you take 5 minutes out of your online experience and renew your records to avoid running into any future problems with the online service. However, failure to update your records will result in your account suspension. Once you have updated your account records your internet banking service will not be interrupted and will continue as normal.Please follow the link below and renew your account information.

Thank you for your patience.

Sincerely,
PayPal Customer Service

PayPal -- New Security Requirements

Every week, we get multiple emails that are clearly phishing scams. Here, we'll keep a running record of them.

Received 8/7/05

This email which purports to be from PayPal fails to address the subscriber by name, contains misspellings (e.g., "existant"). It specifically targets debit card information.

----------------------------

Dear valued PayPal® member,

Due to recent fraudulent transactions, we have issued the following security requirements.

It has come to our attion that 98% of all fraudulent transactions are caused by members using stolen credit cards to purchase or sell non existant items. Thus we require our members to add a Debit/Check card to their billing records as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. Your Debit/Check card will only be used to identify you. If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the PayPal® service. However, failure to confirm your records will result in your account suspension.

We are requesting this information to verify and protect your identity. Federal regulations require all financial institutions to obtain, verify, and record identification from all persons opening new accounts or obtaining ongoing payment services. This is in order to prevent the use of the U.S. banking system in terrorist and other illegal activity. For these reasons, PayPal® will utilize services provided by various credit reporting agencies to verify the information you submit to us.

Once you have updated your account records your pending PayPal® account transactions will not be interrupted and will continue as normal. T

o update your billing records please login to your account by clicking here.

Thank you for your time,

PayPal® Billing Department.