Forgot your password?
typodupeerror

Phishers Get Phoney 236

Posted by Zonk
from the punlarious dept.
Nick Johnson writes to mention a new twist on phishing. From the article: "The spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it. The caller is connected to a voice response system that is made to sound exactly like the bank's own system. The phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN."
This discussion has been archived. No new comments can be posted.

Phishers Get Phoney

Comments Filter:
  • This... (Score:5, Insightful)

    by danimrich (584138) on Friday April 28, 2006 @10:58AM (#15220912) Homepage Journal
    Makes me think that it is still the safest option to have customers do all their banking right at a teller.
    • Re:This... (Score:5, Funny)

      by Whiney Mac Fanboy (963289) * <whineymacfanboy@gmail.com> on Friday April 28, 2006 @11:00AM (#15220932) Homepage Journal
      Makes me think that it is still the safest option to have stupid customers do all their banking right at a teller.
      • Re:This... (Score:4, Funny)

        by vertinox (846076) on Friday April 28, 2006 @11:28AM (#15221222)
        Makes me think that it is still the safest option to have stupid customers do all their banking right at a teller.

        What if the Phishers send email with instructions for stupid customers to go into fake banks and do business with fake tellers?
    • Re:This... (Score:5, Funny)

      by Solra Bizna (716281) on Friday April 28, 2006 @11:01AM (#15220956) Homepage Journal

      Until somebody makes a whole fake bank branch building.

      -:sigma.SB

    • From tellers to ATMS and then back to tellers? The business cycle would be complete! The irony would be delicious. Of course you'd just see lots of guys with foreign accents and phony mustaches going to banks to make "vithdravels".

      I wonder if the phishers grumble about getting flooded with phony Citibank emails from their competitors?
    • Re:This... (Score:5, Insightful)

      by buelba (701300) on Friday April 28, 2006 @11:59AM (#15221540)
      The real safe option is only to call the number printed on the back of your credit/debit card. What's amazing is how badly the banks are set up for this. The following happens to me at least twice a year:

      1. I travel for work, and use my credit card for all kinds of things I don't usually buy, like hotel rooms.

      2. My wife keeps using the same card for all the stuff we usually buy.

      3. The computer says: hey, someone maybe stole the card and is running up all those hotel charges!

      4. A human from the security department calls us to verify, gets voicemail, and leaves a callback number that is NOT the callback number on the card.

      5. I call back the number on the card. The human there says, "why don't you call the number they gave you?" I explain. They think about it and realize this makes sense. About 15 minutes later, I'm connected to the right people -- usually after going through a supervisor at the call center.

      The right way to do it, of course, is to have the human from the security department leave this message: To call us back, call the number on your card; then, immediately enter the following code to be directed to the right department. But they still haven't learned.

      I shudder to think what will happen when I'm eventually home when they call. I certainly won't do anything except hang up and call back the same number.
      • Re:This... (Score:4, Insightful)

        by Asphalt (529464) on Friday April 28, 2006 @12:29PM (#15221800)
        . I call back the number on the card. The human there says, "why don't you call the number they gave you?" I explain. They think about it and realize this makes sense. About 15 minutes later, I'm connected to the right people -- usually after going through a supervisor at the call center.

        The right way to do it, of course, is to have the human from the security department leave this message: To call us back, call the number on your card; then, immediately enter the following code to be directed to the right department. But they still haven't learned.

        I shudder to think what will happen when I'm eventually home when they call. I certainly won't do anything except hang up and call back the same number.

        I believe you have sufficiently illustrated the problem.

        The banks do use the same methods as phishers, despite their claims to the contrary.

        I also get voicemails from the "bank" asking me to call back, and when I call back I have to "verify my identify" through at least a couple of personal questions and at least part of my social security number. I have no way of knowing whether I have indeed called the bank, or some guy at a payphone.

        It's not so much that the customers are stupid, it's that the banks have trained customers that they must respond to these types of inquiries, or they very well may have their checks/charges declined.

        The banks created the system which is being abused. And they have done little to change their practices.

        It's hard to determine who, exactly, are the stupid ones in this situation.

        • The reason is: Banks want to save money. Which bank likes to pay hundreds of operators to man the lines and ask you the right questions... In their zealousness to reduce staff so that the management could be paid $400 million a year, banks have bypassed customer needs and preferences PLUS security. It will not be a while before a Senator introduces a bill which outlaws manual operation of bank and makes automation complete. BTW if yoiu happen to dial a phoney number and lose all your money: tought luck! Th
  • by Squalid05 (850603) on Friday April 28, 2006 @11:00AM (#15220938) Homepage
    ..do they know what bank i use? I've had emails from banks all over the world regarding my "account". The only email i havent got yet is from the bank i actually use!
    • Re:Ah, but how.. (Score:4, Interesting)

      by GroinWeasel (970787) on Friday April 28, 2006 @11:05AM (#15221004)
      I've had phishing emails that were for the right bank: and even had the right address in it (except for the fact taht I moved from the address 2 years ago...)

      Phishers are getting better, and I suspect they have friends within the banks.
      • Re:Ah, but how.. (Score:5, Insightful)

        by corbettw (214229) <`moc.oohay' `ta' `wttebroc'> on Friday April 28, 2006 @11:15AM (#15221104) Journal
        I've had phishing emails that were for the right bank: and even had the right address in it (except for the fact taht I moved from the address 2 years ago...)

        Sounds like they ran a credit check on you. All that information is collected by credit reporting agencies (believe it or not, how long you've had an account with one bank, and the average deposits, goes into your credit score...at least, that's my banker told me when I opened my account with her). And I know addresses are kept in credit checks, since the last time I checked mine (last summer) it had addresses going back to 1998. Handy, since around the same time I had to submit all those addresses for my background check when I got my Series 7 and 65.

        Long story short: don't ever give out your SSN to anyone unless you're getting money/credit from them. And minimize how many people you do business with in that regards.

        Wanna know the easiest way to get a list of current addresses and SSNs?* Send out a mailing to 100,000 people in a given city, offering a car loan or something (which of course you have no intention of actually giving them). Statistically, at least 1000 of them will send you their full name, address, SSN, bank account information, even mother's maiden name. And yes, people are that stupid.

        *I don't know if anyone's ever done this, and if it happens after this I specifically disclaim any responsibility for it.
        • Re:Ah, but how.. (Score:3, Interesting)

          by CastrTroy (595695)
          There was a scam run a little while back up in Canada where they put out a fake job posting. People were asked to send in SIN, and other private information, and many of them did. They used this info to get credit cards and such in the people's names. They got pretty far before they were caught.
        • If you do this, you'll get some federal attention. Fraud via the mails (not over the Internet) really perks up the attention of the FBI, etc. because it's an instrumentality of commerce that not only gets them jurisdiction, but really seems to challenge them: "Hey, I'm soliciting 100,000 people, and what are you going to do about it?"
      • But...if...they... have.... friends....in the bank.....with your information....

        Oh, nevermind.
      • Even stranger: Whenever I complete a transaction on my PayPal account, I can count on receiving at least one PayPal phishing spam within minutes of receiving a valid PayPal confirmation. I suspect some entity upstream is monitoring for valid PayPal e-mails and automatically generating phony notices.
    • That's crazy talk. Online banking isn't the way to go! The real money is in those desperate Nigerian money transfers. Hell, I've won the UK lottery at least 20 times. I should be the richest man in the world by now.

      Now if you'll excuse me, I'm gonna buy some cheap Viagra and refinance my home.
    • The key is to be a customer at a bank that doesn't give a shit about you. Then you always know all emails are phony.
    • You just reminded me about the favorite thing about trying to teach my parents about phishing. They get phishing attempts from banks that aren't theirs and delete them, but if they got a phishing attempt from someone impersonating their bank, or eBay, they'd click it an instant.

      They can only tell phishing attempts from not having an account.
    • Re:Ah, but how.. (Score:3, Insightful)

      by 955301 (209856)

      Here's one idea. Your actions.

      Start up a phishing cluster. Collect authentic notices from various banks (fidelity investement statement notice, etc). Fire copies of these notices to "customers" in an html email. Add a graphic touch to a node in your cluster with a uid traceable to that email address. This email should otherwise be harmless and point to the actual institution - this leaves you with great options on what to email - Retirement tutorials, account statement notices, privacy statements.

      If the cus
  • evolving (Score:4, Interesting)

    by brenddie (897982) on Friday April 28, 2006 @11:03AM (#15220971)
    It seems that phishing is evolving but they are getting forced to use more risky (for the phisher) methods. A phone number feels more physical than a web presence so it should be easier to track besides this has to be breaking some "dont screw around with the phone" federal law.
    • Online phishing is already a violation of those very same federal wire fraud laws. This doesn't seem to be slowing it down.
      • She's saying that it's probably easier to catch them because of the physical phone involved. She's also saying that there are probably additional laws, over and above the general fraud laws, being broken by using a phone to commission the crime. Phone laws are more mature than internet laws, so it's probably easier to prosecute someone using those laws.
    • Well, considering that the phishers have acquired some expertise in identity theft I'd suspect that the elevated risk involved is for the poor sucker in whose name they opened a phone line. Instead of opening the mail one day to find his credit card balance higher than it should be, he'll wake up to the sound of the FBI kicking in his door. BAM!

      Of course, they'll let him go as soon as they figure out he doesn't know anything about computers. But what if the bad guys happen at random chance to use *yo
      • Even better (worse):

        Suppose the bad guys Google the names on their list (or determine from information on the PC from which their bot got the initial identity data) to select people who are likely to have computer skills? They have plenty of names to pick from. Being somewhat selective about the names they use to open phone lines and bank accounts would be downright obfuscational. Heck, the Evil Doers(TM) could pick people with publicly expressed dissatisfaction with government activities like domesti
  • by kanweg (771128) on Friday April 28, 2006 @11:04AM (#15220988)
    So, what if you enter a random number with random PIN. They have to go thru the trouble to make the card, only to find out it doesn't work. And their face pop up at the video camera's of the ATMs all the time with failed withdrawals.

    Bert
    • If someone goes to this sort of trouble to get your details they won't
      be using them to get a few hundred here or their out of ATMs. No , you'll be
      buying Mr Nthungu Kwaweli of Lawless Province, Nigeria, his 4th AMG SL 600 and
      a side order of AK47s.
    • They have to go thru the trouble to make the card, only to find out it doesn't work. And their face pop up at the video camera's of the ATMs all the time with failed withdrawals.

      I doubt they are making cards and showing up an ATM machine to use these numbers. They can buy merchanise over the internet, using each of their collected numbers until one works. Having a few bad numbers or accounts with little cash in them does not pose a significant problem to an operation like this.
    • > So, what if you enter a random number with random PIN.

      Actually there is a website out there that looked into one of these for Chase Bank in the past several weeks:

      http://www.thescambaiter.com/forum/showthread.php? t=6697 [thescambaiter.com]

      The number would only accept "valid format" numbers or the call would be ended. It also featured a horrendous computer-generated and obviously fake greeting.

      One guy on that site managed to build an automated randomized seeder once he figured out what a "valid format" card type was. Pret
  • Mummy (Score:2, Interesting)

    by JamieKitson (757690)
    My mum was called by a recorded message from my bank, asking for my date of birth, she assumed it was a fake (horrah!) and put in a wrong birth date. It turned out to be genuine, they were checking that my mistaken PIN attempts were me and not somebody else :)
  • by JoeyB (969202) on Friday April 28, 2006 @11:08AM (#15221043)
    No one will ever ask you for your account number or pin. This is not so much a new twist as good old basic social engineering. It stands to reason NEVER to trust any unsolicited form of communication unless you check it out and NOT by calling the number the phisher provides.
    • "No one will ever ask you for your account number or pin. This is not so much a new twist as good old basic social engineering."

      Many credit card companies usually ask for the account number. In fact, I had one company asking for SSN. Once I signed up for a silly credit card to get the "goodies", and they approved it. I didn't use it at all, and was hit with a yearly fee. Fine. I call the number that came in the email, and the first thing was "please enter your SSN number". It took me a while to figure ou

    • Hmmm. ALL of my credit card companies ask you to either key or speak your CC# when you call them.
      • Mine just asks for the last 4 numbers, and the numbers in my postal code to validate. I figure they are using caller ID to check my home phone number.

        Incidentally, I never do money related things from work, whether it's on the phone or on the computer. The computer is obviously a big black box (running XP no less), but I don't trust the phone system there either. My employer has the ability to record phone conversations, so you never know who's listening in.

        All my banking gets done from this desk, here

    • by mizhi (186984) on Friday April 28, 2006 @11:59AM (#15221541) Homepage
      Incorrect. All the companies I call ask for identifying numbers. Whether it be Phone#, last 4 SSN, CC, or Account#. Granted, when I call them, they usually ask for 2 or 3 piece of information to match up; such as mailing address, birthday, etc.

      And just to cut the inevitable snarky comment off, yes they are the actual companies.

      You are correct though. If you get an unsolicited contact through email or on the phone, don't trust them. If they are really from your institution, tell them you'll call them back on a number you know to be legit. If there's really a problem with your accounts that you need to know about, whoever you get on the line will know what it is. If there isn't, well, good job, you're helping against phishers by notifying the institution that someone is targeting people in their name.
    • Recently, a caller left us a message about being behind on our house payment, and asked us to call a certain number. (We were slightly behind - we had been paying late because the bill was due earlier than all our other monthly bills, and we had forgotten that and paid it at the same time as the others.)

      So, after the usual questions (Is this, essentially, phishing using voice? Should I answer at all?), I decided to call them back and find out who these people were. (I should mention that the voice mess

    • EZPass will. You have to give them your account number and PIN (used for the website as well) when you call in, and have to give it to a human. That human then looks at their screen, where your account number and PIN are displayed in plain text. I'd feel less uncomfortable if they asked you for the PIN and then keyed it into a system to find out if it was right, but that's not the case (the CSR actually TOLD me that she was looking at the PIN on her screen).

      Either your PIN isn't being stored encrypted at
    • I'm pretty sure that if I call my *real* bank, and use the automated system to get my balance, I'm going to need to enter my account number and PIN.

      If the phishing scam were to say "To check your balance, call this number and enter your PIN".. I could easily see someone falling for that.

      What if the scam evolves to having a real human answer the phone, and the "employee" asks for their account number. Then says they need to verify the social, maiden name, etc. This is SOP for a real bank, and it sounds li
    • When I dial my bank they ask for my "access ID" and PIN. The access ID is just a number assigned to me, different form my account number. My PIN though is my ATM PIN.
  • Phishing scams are prevalent and continue to proliferate. In traditional scams, miscreants try to pilfer personal information by sending spam e-mail with links to a malicious Web site, crafted to look like a site belonging to a trusted service provider. The phone scams are a new twist, made possible by cheap Internet-based telephone services, Cloudmark said.

    Fresh phish with a side of Skype, anyone?

    Not to belabor the point that all the other posters have made so far -- it's just another example of human

  • by csoto (220540) on Friday April 28, 2006 @11:15AM (#15221105)
    one would think these guys would just seek gainful employment.
    • hmmm well they can spend a couple grand setting it up, spend some time on it to get it right, then wait for a few good hits to come in... jackpot, several grand per hit... 3-30 times their investment or more, much better return than investing or gainful employment, plus they're probably doing this on multiple platforms/scams so multiply the return and you've got some pretty nice salaries coming in, all tax-free. Add to this that they are most likely living somewhere where cost of living is relatively low wh
  • If you have family or friends who are less than computer saavy, take the time to explain the issues and concerns to them. I get questions all the time about whether this or that is a scam or not. Do I get annoyed by it? of course! But it's certainly a lot less painful than having to deal with the after effects of someone who got stung.
  • by VincenzoRomano (881055) on Friday April 28, 2006 @11:16AM (#15221108) Homepage Journal
    Why should an insitution (not just banks) ask me for details they are supposed to already know?
    No security technology or technique is strong enough to defy stupidity!
    And phishing exploits stupidity!
  • 800 Number? (Score:2, Insightful)

    by Transplant (535283)
    I wonder if these guys were stupid enough to use a "1-8XX" number. Oh the fun that could be had making them pay...
  • Phishing has gone extreme and so have the tactics.

    The other day I walked up to what I thought was my bank and looked in only to find an empty lobby with a server and phone switching system behind the counter.
  • Sounds like the banks need to add a security filter to their automated phone systems similarly to what they've begun doing on their websites... like Bank of America for instance now has a picture display above the password input, a picture that you pick out from a selection of pictures, which is pulled from a database and has a unique id. If the pic shown on the password input page is not the one you've selected, then you know you're on a phishing site.

    For automated phone systems, there could be a word or p
    • Both of these ideas are handily defeated by man-in-the-middle attacks.

      You visit a website. It visits your banks website. You type in your account number. It types in your account number. Etc.

      Same for the phone. It could simply conference you to your bank and listen in to everything you do. You're dealing with your own bank, so you wouldn't suspect anything. They'd have all your info.

      • Except that, with BofA, if you haven't already visited their site from your computer (actually a combination of a cookie (that can be passed on, natch) and at least coming from a domain block that you previously came from (not perfect, but a reasonable compromise) then you get a completely different page that warns you that -- if you think you're coming from a location you've visited from before -- you may be experiencing an attack, and has you go through some more convoluted procedures to proceed, includin
  • The banks really need to get together and figure out a secure, standardized, open protocol for sending authenticated emails. Otherwise, shennanigans like this just get more and more sophisticated until email becomes next to useless for business transactions (because you can't trust anything your email says, ever).

    As for how this could be implemented, I'm not sure, but it seems to me that banks (working together) have enough technical skill and influence over their customers (and by extension, over the soft

    • by VP (32928)
      Banks already do this - it is called secure messaging, and it is web based. You get an e-mail telling you that you have a message, the e-mail has no links or phone numbers (since you know your bank's web site), and you log into a secure web site to send and receive messages.
  • Just thinking that a likely situation is this...

    Use a previously scammed credit card to set up a free to call in phone system, which you can get through several service companies to create surveys, etc. this would clear you of any connection with the number itself and stop any backtracking investigation....

    Use a cash prepaid temporary cellphone to call in to retrieve said info, probably by having it email the data to an anonymous hotmail account or some such... use a zombie PC to download/access said accoun
  • by mabu (178417) on Friday April 28, 2006 @11:45AM (#15221389)
    This is all the result of spamming. At what point are the authorities going to take the spam problem seriously? This is what I want to know. The main way worms, counterfeit products, illegal drug sales viruses, adware, trojans, backdoors, phishing, and other things propagate is via UCE. Every system spam passes through has records on where it is coming from and where it is going. Even with the jurisdictional issues, there should be more action and prosecution from various authorities of spammers. Why there isn't is mind boggling. If we can shut down some of these spam gangs, most of this activity will stop.

    The $64M question is why the Feds don't seem to be interested in stopping spammers? I refuse to believe they are that incompetent. Any decent network admin could track these spammers to a physical address within a few days.
    • I refuse to believe they are that incompetent.
      Then you've never worked for the government.
  • Ok... (Score:2, Funny)

    by mogwai7 (704419)
    So we have phoney phishing phreaks now?
  • by sdo1 (213835) on Friday April 28, 2006 @12:13PM (#15221668) Journal
    First off, the penalties for such intentional and deliberate fraud attempts should be very, very severe. This is an organized and well-planned attempt to commit fraud and it should be treated as such. I'm all for fairness in sentencing, but when someone goes through this much trouble to attempt to steal from others, they should be dealt with very harshly.

    Secondly, why does law enforcement have such a hard time stopping things like this? It would seem fairly trivial to me to follow the phone and money trail to whomever is commiting these crimes. I understand that much of it may involve international crime, but come on.

    Is it that there just so much of it that they can't keep up? Or is it that they're so incompetent that, even given the tools they have at their disposal, they can't actually track down the criminals? Or is this just such a low priority crime that they're not paying attention to it? Or is that they're so bogged down in the beauracracy, especially if they have to use international resources, that they don't have time to react?

    No matter what, it's a sad state of affairs that such crimes are so common.

    -S
  • by AriaStar (964558) on Friday April 28, 2006 @01:20PM (#15222156) Journal
    It's a form of online fraud, and I specialize in its prevention. There are two simple things to do to prevent ID/personal info theft like this. Never click a link in an e-mail. I'd say you can hover over the link and you'll see it's masked, forwarded, just plain a different site, etc., but most of the population has no clue how to read those things anyway (though I'm sure most, if not all, of you here know how to). Go directly to the company's page if you have an account with them. If they need you to "verify" info or whatever, the legit site will tell you after you've signed in. Ignore it altogether if you don't have an account with the place supposedly sending it (right now it's very common to receive things from "Chase" asking to fill out a survery and get $20). The second is to call the regular customer service number you can get through 411. An agent via that number can connect you to whoever you need. If the e-mail says to call a certain number to get hold of a certain person, an agent can help you find that person, if he/she exists and is an employee of the company. No legit institution at which you have an account will address you as, "Dear customer," or some other impersonal greeting. Always by your name. It's at the point that I believe that, if someone has their ID stolen, they deserve it. We've all heard time and again not to click on links, and yet 3-7% of people still fall for these things. Yes, the number is that high. Scary, huh?
    • "...3-7% of people still fall for those things..."

      I've had conversations about security with acquaintances who think security measures can be defeated and are therefore useless. Here are some examples:

      SECURITY MEASURE -> OBJECTION
      Shred documents -> Couldn't someone just tape my document back together?
      Add security alarm -> Couldn't a quick thief enter, let the alarm go off, grab stuff and exit before the police show up?
      Check for security on important websites -> Couldn't someone run

"Tell the truth and run." -- Yugoslav proverb

Working...