Voice phishing on a phishing alert
A year and a half ago, we warned of Paypal phishes that asked users to phone a number to verify their account. Nowadays, phishes also target many smaller financial institutions. They are also getting more sophisticated. Today, we came across a phish that attempts to cash in on a phishing alert from a credit union.
Below is the phish email message:
Compare the above phish email with the phish alert posted on the front page of the credit union:
As you can see, majority of the phish email is a direct word-for-word copy of the phish alert. Even the links in the phish email point to the legitimate online policy page or the proper abuse email addresses. The phish email did change the date and the text at the bottom in an attempt to solicit phone calls to the posted phone number.
Even a careful user may attempt to call the number after reading this email. There is no link to click so most people would assume the number is safe to call. On closer examination, deciphering the bank’s toll free phone number reveals a difference. 1-888-KEESLER turns out to be 1-888-533-7537, yet the email asks the recipient to call 1-800-68X-XXXX.
To chase down additional details, we called the 1-800 number. At the other end of the phone line is a monotonic-voiced automated system.
Simply click on the arrow above to stream the recording through your browser. Alternatively you can download it to your MP3 player.
The system greets a user with “Welcome to the activation center” and proceeds to assure those who call that the system won’t ask for any personal information such as the Social Security Number. Then, the system asks for a user’s bank card number, followed by the PIN. An unsuspecting user would not need to provide their Social Security number in order for the phish to be a success. Chances are, within a few short hours of providing the card number and PIN, a user’s bank account would be drained of funds through an ATM or have funds transferred to an off-shore account.
Phishing attempts will always evolve, but best practices usually save the day. Remember to call the phone number on the back of the bank card, take a personal trip to the bank when there are doubts or account issues, and never give your PIN to anyone. It’s always safer using these methods than calling a phone number that is placed in an email, and punching in your PIN.
Posted on February 20th, 2008 by SavioL, SophosLabs, CanadaFiled under: General, Spam
Windows 7 security - A great leap forward or business as usual?
