Evil phishing attacks

Discussion in 'other security issues & news' started by Gullible Jones, Apr 2, 2010.

Thread Status:
Not open for further replies.
  1. Today I got a phishing email trying to bait me into logging in on "Bank of America". Nothing out of the ordinary... But the scary part is, the bogus log-in link actually had the correct (apparent) URL, www.bankofamerica.com, when I hovered the mouse over it.

    Now, I can generally trust myself to recognize phishing emails (or so I like to believe). But I do not like the idea that someone could spoof an innocuous looking address, and thereby fool me into clicking on an at best malicious or at worst illegal link. How can I protect myself against that sort of exploit?

    (Seamonkey 2.0.4 FWIW, on Windows XP SP3, LUA + SRP)
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,773
    Location:
    Texas
    Delete the email on sight. Banks don't generally contact you in this manner

    Set up your email program so it doesn't display html links.

    It sounds like you already have the general idea on how to protect yourself.
     
  3. I'm thinking less about phishing than something like this (for example):

    - New Wilders member posts a link that apparently goes to an independent firewall test.
    - However, said link is actually to a Google search for something very illegal; the URL is spoofed so it looks like it goes to a legit web page.
    - People click on the link. Needless to say they pretty quickly realize they've been duped, but by then the packets have already been transmitted, and the police and FBI are (wrongly) on their case.
    - By the time the authorities have figured out what happened, people have lost their jobs and maybe even wound up in jail.

    Lest you think this ridiculous, I've seen forums where similar stuff has happened courtesy of e.g. TinyURL. Granted that a smart user won't click on an unidentified TinyURL link or whatever, URL spoofing of the kind I suspect here would make that more difficult to detect.
     
  4. Meanwhile, the plot thickens...

    Viewing the email as text only shows that the link does in fact go where it's supposed to. Supposedly, anyway. The URL is click.emcom.bankofamerica.com, which according to some searching may be legit, and does seem to be in BoA's domain.

    Maybe the phishers have figured out a way to spoof GMail itself somehow? Or perhaps it's DNS cache poisoning on my ISP's end, in which case I could be in hot water.

    The other possibility, of course, is that someone at BoA just got the brilliant idea of sending spam-liked emails with suspiciously repeated "Sign In" links to the bank's clients. This is the simplest answer, but somehow I strongly doubt it to be the case.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Gullible Jones

    Not quite sure what's going on with that link, but even with scripting and cookies enabled in FF, all i see is this

    eb.gif

    Completely white page except for that, and nothing after 5 secs, and the Go to your link doesn't work as it's not a real link ?
     
  6. Hmm me too now. Though IIRC it was followed by an index.php and tons of gibberish.

    Oh one more thing! Now that I think about it, the original link was certainly phishing - I tried opening it up (sandboxed), and it was HTTP... The real BoA site is HTTPS straight off the bat.
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  8. It wasn't the W-9 form one... It was something about a monthly statement by email, which I hadn't asked for and hadn't received before. And it had numerous links supposedly going to the sign-in page of BoA's website, which is why I think it was phishing - BoA is not supposed to do that, ever.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Without seeing the actual email and/or the HTML code, all is speculation.


    ----
    rich
     
    Last edited: Apr 3, 2010
  10. Zeena

    Zeena Registered Member

    Joined:
    Apr 25, 2008
    Posts:
    409
    Location:
    UK
    Hi :)

    I get Fake Bank Emails all the time :rolleyes:
    Think I've probably had one from just about every British bank in existence.
    Some of them have extremely convincing email address :doubt:
    So!
    How do I know they are Fake?
    Coz...
    Lucky for me ( Sort Of! ) I don't have any money :D

    I've Just Learnt To...
    1) Stick um in the Spam Bin
    2) Delete Them
    3) Forget about it :thumb:

    Zeena
     
  11. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Phishing emails from "banks" are quite common ... as Ronjor pointed out, most if not all banks make the point that they'll never contact you by email except, in some rare cases, for promotional offers.

    Probably the funniest thing about them is that the vast majority of them are supposedly from banks I know darned well I've never done business with, and there's no question about trashing those. In rare cases I'll get one that looks to be from my real bank, and I'll forward those to their security people since whoever's sending them seems familiar with details of the bank's procedures and departments.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    With tools like Prevx SafeOnline or Trusteer Rapport which both can protect against so called "Man in the Middle" attacks.

    Exactly, I don´t trust these kind of emails anyways, so I don´t even need no "baby sitting" tools that protect against Phishing and Pharming.
     
  13. lubieplacki

    lubieplacki Registered Member

    Joined:
    Mar 24, 2010
    Posts:
    151
    Location:
    Poland
    In my email I have got a lot of phishing mails from World of Warcraft account ( I dont have something like that). Just dont read and delete it.
     
Loading...
Thread Status:
Not open for further replies.