Phishers Get Phoney

Nick Johnson writes to mention a new twist on phishing. From the article: "The spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it. The caller is connected to a voice response system that is made to sound exactly like the bank's own system. The phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN."

evolving

[brenddie]

It seems that phishing is evolving but they are getting forced to use more risky (for the phisher) methods. A phone number feels more physical than a web presence so it should be easier to track besides this has to be breaking some "dont screw around with the phone" federal law.

Mummy

[JamieKitson]

My mum was called by a recorded message from my bank, asking for my date of birth, she assumed it was a fake (horrah!) and put in a wrong birth date. It turned out to be genuine, they were checking that my mistaken PIN attempts were me and not somebody else :)

Re:Ah, but how..

[GroinWeasel]

I've had phishing emails that were for the right bank: and even had the right address in it (except for the fact taht I moved from the address 2 years ago...)

Phishers are getting better, and I suspect they have friends within the banks.

Re:Wow

[aussersterne]

In the area where I live there has been a more serious "phone phish" going on. You receive a call from someone and claiming to be a police officer. They say that they're very sorry to have to inform you that your mother/father/son/daughter/sister/bother has been involved in a serious crash and is being flown by emergency helicopter to regional hospital X. So that the hospital is able to treat them the moment it touches down, the officer is trying to complete necessary admittance and insurance paperwork in advance, and what they need from you is your insurance policy number *and* the full name, address, phone, credit card number, and social security number of someone who can be billed in the event that the insurance policy is unwilling to cover the necessary treatment.

From what I understand, these scammers have been doing pretty well, unfortunately, and as far as I know there are few leads. The public hasn't been told why... maybe they're using convenience store phones and/or pay phones.

Re:For this level of effort...

[foniksonik]

hmmm well they can spend a couple grand setting it up, spend some time on it to get it right, then wait for a few good hits to come in... jackpot, several grand per hit... 3-30 times their investment or more, much better return than investing or gainful employment, plus they're probably doing this on multiple platforms/scams so multiply the return and you've got some pretty nice salaries coming in, all tax-free. Add to this that they are most likely living somewhere where cost of living is relatively low while quality of life is high... Caymans, Virgin Islands, or the like, hell could be living in Senegal or some other nice to wealthy people African nation, where you can live a high life for a few grand a month (which is like spending 10 or 12 grand a month in the US easily)...

All of this comes from Spam

[mabu]

This is all the result of spamming. At what point are the authorities going to take the spam problem seriously? This is what I want to know. The main way worms, counterfeit products, illegal drug sales viruses, adware, trojans, backdoors, phishing, and other things propagate is via UCE. Every system spam passes through has records on where it is coming from and where it is going. Even with the jurisdictional issues, there should be more action and prosecution from various authorities of spammers. Why there isn't is mind boggling. If we can shut down some of these spam gangs, most of this activity will stop.

The $64M question is why the Feds don't seem to be interested in stopping spammers? I refuse to believe they are that incompetent. Any decent network admin could track these spammers to a physical address within a few days.

Re:speaking of stupid...

[tlhIngan]

I mean, arn't they fooling enough people in the status quo? Now, they have to pay people to act like they work for a bank, and have them on call 24/7.
The same stupid people are going to believe this (why would your bank email you asking you to call them?), so now the phishers will be losing money by paying actors, and not really getting enough extra to cover the cost.

I think the "Tragedy of the Commons" has struck the spam and phishing world. First, a few spams and you had a high return rate. Now that everyone's inbox is flooded, no one reads them anymore. So people turned to phishing, which made a lot of money. However, people realized that you know, the bank isn't going to send them alerts to *every* email account they have anymore (I get the same phish email in my home account (several copies), and my Gmail account), or as I mentioned in my anecdote, *several* copies. For the past week, Chase Online had a problem *EVERY SINGLE DAY*. The first time, maybe. The Nth time, well, it's obviously a scam.

Either that, or if one were to answer every phish, there would've been nothing left in the account beyond the first couple of phishers.

So now that everyone's into the phishing racket, all the low-hanging fruit is gone, since people get suspicious when the bank sends multiple emails on the same problem, or over the course of a week, or different problems with the same bank. It worked wonders when phishes were rare. Now that they happen daily, well.

Interesting how the Tragedy of the Commons can affect scams as well (which probably included a number of ways spam has evolved over the years).

But hey, calling a 1-800 number can be quite fun, since they're paying for the call. May be fun to do an automated calling thing that calls, presses random numbers, speaks sloooooooowwwwwwlllllly...

Re:Ah, but how..

[CastrTroy]

There was a scam run a little while back up in Canada where they put out a fake job posting. People were asked to send in SIN, and other private information, and many of them did. They used this info to get credit cards and such in the people's names. They got pretty far before they were caught.

Is law enforcement ignoring this?

[sdo1]

First off, the penalties for such intentional and deliberate fraud attempts should be very, very severe. This is an organized and well-planned attempt to commit fraud and it should be treated as such. I'm all for fairness in sentencing, but when someone goes through this much trouble to attempt to steal from others, they should be dealt with very harshly.

Secondly, why does law enforcement have such a hard time stopping things like this? It would seem fairly trivial to me to follow the phone and money trail to whomever is commiting these crimes. I understand that much of it may involve international crime, but come on.

Is it that there just so much of it that they can't keep up? Or is it that they're so incompetent that, even given the tools they have at their disposal, they can't actually track down the criminals? Or is this just such a low priority crime that they're not paying attention to it? Or is that they're so bogged down in the beauracracy, especially if they have to use international resources, that they don't have time to react?

No matter what, it's a sad state of affairs that such crimes are so common.

-S

Re:Again the basic rules apply

[DavidD_CA]

I'm pretty sure that if I call my *real* bank, and use the automated system to get my balance, I'm going to need to enter my account number and PIN.

If the phishing scam were to say "To check your balance, call this number and enter your PIN".. I could easily see someone falling for that.

What if the scam evolves to having a real human answer the phone, and the "employee" asks for their account number. Then says they need to verify the social, maiden name, etc. This is SOP for a real bank, and it sounds like the scammers are getting gutsier with their practices. I don't see this being that far off.

Re:I specialize in this!

[Barrow-Wight]

"...3-7% of people still fall for those things..."

I've had conversations about security with acquaintances who think security measures can be defeated and are therefore useless. Here are some examples:

SECURITY MEASURE -> OBJECTION
Shred documents -> Couldn't someone just tape my document back together?
Add security alarm -> Couldn't a quick thief enter, let the alarm go off, grab stuff and exit before the police show up?
Check for security on important websites -> Couldn't someone run cracking software to decrypt my account login?

The answer to each of these questions is probably Yes, someone could do those things if they really wanted to.

But the reality is, why would they bother when it is so easy to find someone else that doesn't take your precautions?

For example, pretend you're a phisher. Which of the following two choices would you find more appealing:
(1) Intercept data from a user's login session, then run a decryption program on your PC for several weeks (or more) until it finally reveals the user's login info.
(2) Send spam to 10,000 accounts and get 300 to 700 sets of ID within a day or two.

I don't think I need to tell you the answer.

In the end, security is often about using better measures than the other guy. Of course, for that to work, there needs to be that other guy.

So, the 3-7% who fail to take proper security measures are actually performing a public service...They're the dupes that get exploited instead of the rest of us! :-)