Skip to main content

How to Spot a Phishing Site

I just got an e-mail from Bank of America:

During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information. This might be due to either of the following reasons:

1. A recent change in your personal information (i.e.change of address).
2. Submiting invalid information during the initial sign up process.
3. The services look that was changed recently:

[Banking Log-In]

Security Advisory,
Bank Of America .

*Important*


failure to update your account at least 24hrs of notice might lead to account
being locked and access will be restricted.

I'll ignore the fact that I do not have a Bank of America account for the sake of this post, as that's just too easy.

So let's review the signs thus far:

Sign #1: "Either" of the following reasons, followed by three, not two, reasons.
Sign #2: Poor grammar: The services look that was changed recently
Sign #3: Poor punctuation: failure to update your account at least 24hrs of notice might lead to account being locked and access will be restricted.
Sign #4: The fact that the URL in the e-mail resolved to this site in Poland, which is hardly where I believe the Bank of America is located:
http://www.gis.gov.pl/mambots/content/acc/index.htm

So I clicked on it (having a Mac gives you little fear when it comes to checking out phishing sites) and got a relatively legit looking Bank of America login page. Not running in SSL.

Sign #5: No SSL for username & password.

I "signed on" with a bogus name and password, and lo and behind, it accepted it!

Sign #6: A completely made up username and password somehow work.

Now that I'm authenticated, the URL has changed to include both the username and password which I provided:

http://www.gis.gov.pl/mambots/content/acc/update.html?Access_ID=phisher&Current_Passcode=welcome

Sign #7: Your password shows up - in clear text - in the URL

Now I am presented with a form that is asking for all kinds of personal information - checking account number, SSN, online ID (which I just provided), ATM card number and PIN, and bank routing number.

Sign #8: Your bank asks YOU for its routing number.

At this point, if I just submit the page without providing any information, it goes on to the next step.

Sign #9: Not a lick of validation is included anywhere in the site.

Finally - the inspiration for this post - is one of the last pieces of information that the site asked me for:

Third from the bottom, I am asked to provide my Father's Maiden Name - a piece of information so secure, that not even he knows what it is!

Comments

Tim said…
Hey Scott
Great post! Its scary to think that folks still blindly fill out forms providing all sorts of great info. I was reading, an admittedly old article (Nov 2006) stating that 1 in 10 people get suckered in by these sites. Come on people get educated!
Scott said…
I agree that people need to be a bit more cautious, but I think that there's a generation/education gap at work here in the phishers' favor.

Every time I go back home, I spend at least 10 minutes deleting a wide array of .exe files from my dad's Mac Mini. Apparently, he clicks on any link that offers to remove spyware and viruses, even after my repeated warnings not to. At least MacOS harmlessly lines them up on the desktop.

- Scott -
Oyvind Isene said…
Cool. I figured I could contribute with some personal information of my own, but Firefox warns me of "Suspected web forgery" when I try to open the url. Maybe I will fool around later at home.
ebrian said…
"Father's Maiden Name" that is classic. But don't forget to fill out ALL of your mother's and father's "Middles" names !!

Popular posts from this blog

Thanks, ODC (Oracle Developer Community)!

I owe a lot of thanks to the ODC - which stands for Oracle Developer Community.  What is ODC?  You may remember it as OTN, or the Oracle Technology Network.  Same people, different name.  Why they changed it I can't say.  People just liked it better that way... (love that song)

In any case, what am I thankful for?  A lot.  To start, the tools that I use day in and day out: SQL Developer, ORDS, Oracle Data Modeler, SQLcl and - of course - APEX.  Without these tools, I'm likely on a completely different career path, perhaps even one that aligns more closely with my degree in television management.

While the tools are great, it's really the people that make up the community that make ODC stand out. From the folks who run ODC and the Oracle ACE program to the developers and product managers who are behind the awesome tools, the ODC community is one of, if not the greatest asset of being involved with Oracle's products.

If you have yet to get more involved with this communi…

Spaced Out

A while back, I wrote about how to give the Universal Theme a face lift.  If you follow the steps in that post, the base font for an APEX application with the Universal Theme can easily be changed.

While that's all well and good, sometimes you only want to change the font for a report, not the entire page.  One of the applications that I'm building contains a number of IRs based mostly on log data.  Thus, having that data in a monospaced font would make it a whole lot easier to read.

You can search Google Fonts for monospaced fonts by selecting only that option on the right-side menubar.  You can also opt for the standard yet kinda boring Courier and achieve the same thing.

To implement this in your application, follow the steps in my other post, but stop shy of the final step.  Instead of pasting in the text that I specify, paste in the following to the Custom CSS field in Theme Roller, using the name of the font you selected for the font-family:

.a-IRR-table tr td { font-fam…

Whose Deck is it Anyways?

This year at KScope, we're going to try something new.  And fun.  And funny to watch - we hope.  It's called "Whose Deck is it Anyways?", and will occur on Sunday at 8:30pm.  It's only 30 minutes, but it will likely be the best 30 minutes of the conference.  Or at least the most embarrassing.

Here's what we're going to do: the will be four 5-minute presentations - one on each of the following: BI, EPM, Database & APEX.

Sound interesting?  Probably not.  We get that, too.  So here's what we did.

Each 5-minute session will be presented by a non-expert.  For example, it's highly likely that I'll be presenting on BI or EPM.

To make it even better, each slide deck will be prepared by the corresponding expert.  So again, it's highly likely that my slide deck's creator will be either Stewart Bryson or Edward Roske.  If nothing else, this session will be a crash course in how not to make cohesive, easy to read slides.

Interested now?  Ya,…