Skip to main content

How to Spot a Phishing Site

I just got an e-mail from Bank of America:

During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information. This might be due to either of the following reasons:

1. A recent change in your personal information (i.e.change of address).
2. Submiting invalid information during the initial sign up process.
3. The services look that was changed recently:

[Banking Log-In]

Security Advisory,
Bank Of America .

*Important*


failure to update your account at least 24hrs of notice might lead to account
being locked and access will be restricted.

I'll ignore the fact that I do not have a Bank of America account for the sake of this post, as that's just too easy.

So let's review the signs thus far:

Sign #1: "Either" of the following reasons, followed by three, not two, reasons.
Sign #2: Poor grammar: The services look that was changed recently
Sign #3: Poor punctuation: failure to update your account at least 24hrs of notice might lead to account being locked and access will be restricted.
Sign #4: The fact that the URL in the e-mail resolved to this site in Poland, which is hardly where I believe the Bank of America is located:
http://www.gis.gov.pl/mambots/content/acc/index.htm

So I clicked on it (having a Mac gives you little fear when it comes to checking out phishing sites) and got a relatively legit looking Bank of America login page. Not running in SSL.

Sign #5: No SSL for username & password.

I "signed on" with a bogus name and password, and lo and behind, it accepted it!

Sign #6: A completely made up username and password somehow work.

Now that I'm authenticated, the URL has changed to include both the username and password which I provided:

http://www.gis.gov.pl/mambots/content/acc/update.html?Access_ID=phisher&Current_Passcode=welcome

Sign #7: Your password shows up - in clear text - in the URL

Now I am presented with a form that is asking for all kinds of personal information - checking account number, SSN, online ID (which I just provided), ATM card number and PIN, and bank routing number.

Sign #8: Your bank asks YOU for its routing number.

At this point, if I just submit the page without providing any information, it goes on to the next step.

Sign #9: Not a lick of validation is included anywhere in the site.

Finally - the inspiration for this post - is one of the last pieces of information that the site asked me for:

Third from the bottom, I am asked to provide my Father's Maiden Name - a piece of information so secure, that not even he knows what it is!

Comments

Anonymous said…
Hey Scott
Great post! Its scary to think that folks still blindly fill out forms providing all sorts of great info. I was reading, an admittedly old article (Nov 2006) stating that 1 in 10 people get suckered in by these sites. Come on people get educated!
Scott said…
I agree that people need to be a bit more cautious, but I think that there's a generation/education gap at work here in the phishers' favor.

Every time I go back home, I spend at least 10 minutes deleting a wide array of .exe files from my dad's Mac Mini. Apparently, he clicks on any link that offers to remove spyware and viruses, even after my repeated warnings not to. At least MacOS harmlessly lines them up on the desktop.

- Scott -
Oyvind Isene said…
Cool. I figured I could contribute with some personal information of my own, but Firefox warns me of "Suspected web forgery" when I try to open the url. Maybe I will fool around later at home.
Unknown said…
"Father's Maiden Name" that is classic. But don't forget to fill out ALL of your mother's and father's "Middles" names !!

Popular posts from this blog

Custom Export to CSV

It's been a while since I've updated my blog. I've been quite busy lately, and just have not had the time that I used to. We're expecting our 1st child in just a few short weeks now, so most of my free time has been spent learning Lamaze breathing, making the weekly run to Babies R Us, and relocating my office from the larger room upstairs to the smaller one downstairs - which I do happen to like MUCH more than I had anticipated. I have everything I need within a short walk - a bathroom, beer fridge, and 52" HD TV. I only need to go upstairs to eat and sleep now, but alas, this will all change soon... Recently, I was asked if you could change the way Export to CSV in ApEx works. The short answer is, of course, no. But it's not too difficult to "roll your own" CSV export procedure. Why would you want to do this? Well, the customer's requirement was to manipulate some data when the Export link was clicked, and then export it to CSV in a forma...

Manipulating Images with the... Database?

A recent thread on the OTN HTML DB Forum asked about how to determine the width & height of an image stored as a BLOB in an Oracle table. I mentioned in that thread that I have some code to manipulate an image stored in a BLOB column. This is particularly useful if you’re going to let users upload images, and you want to re-size them to display as a thumbnail. Thanks to Oracle interMedia , it is trivial to manipulate the width, height, and other attributes of images stored in an Oracle table. I’ve created a sample application here which demonstrates Oracle interMedia and HTML DB in action. Feel free to have a look. You can download this application from HTML DB Studio as well. Basically, this application allows you to upload images and perform an operation on the image as it is inserted into the PHOTO_CATALOG table. There are two places where some PL/SQL code is required: an After Submit process on page 2, and a procedure to display the images. Here is the PL/SQL for the After...

Page 0 Branches

What? There's no way to put a Branch on Page 0 of an ApEx application! Or is there... Technically, no - page 0 does not support branches. But how many times do you wish it did? This scenario recently came up: I wanted to put a "Search" box on every page in my application, so no matter where a user is, they can search the site. Currently, it has 10 or so pages, but this will grow to closer to 50 by production. So, thought #1 was to put an text item on Page 0, call it search, and then ensure that each and every page had some sort of Branch to run the search. Not so fun, as this was a tedious task, even for just 10 pages. And each time a new page was added to the application - by myself or anyone else - the search branch would have to be added to the page. Clearly not a scalable solution. With a little bit of help from Raj from the ApEx team, I came up with this solution: Create Page 0, if you haven't already On page 0, create an item of type "Text Field (...