Phishing – Alive and kicking

Screenshot of ScotiaBank phish

The phishes I’ve received in the last few weeks seem to be diversifying. Historically, almost all of the ones I received on my Canadian accounts are what I would call generic. They target large American internet presences like PayPal, eBay, and Bank of America. Recently, phishes have widened their targeting to products like World of Warcraft, Amazon, and Royal Bank of Canada.

Screenshot of ScotiaBank phish

Today I received a cleverly disguised phish targeting Scotiabank, a large Canadian bank. As you can see, the email looks very professional and believable, if you forget that banks should not use email to alert you to changes in your accounts.

Dear Scotiabank customer,

As part of our ongoing commitment to keep your information safe and secure, Scotiabank is introducing ScotiaVerify.
An extra layer of security to protect your online banking service. It’s an easy process and will take only a few minutes to complete.

Click here and provide your contact information.

Thank you for your co-operation.

Scotia OnLine

As is typical with nearly all of the scams currently making the rounds, the email plays on your fears about online safety to encourage you to secure your account. Of course the link leads to a website that is a direct rip-off of the real Scotia login page.

ScotiaBank phishing page

Just to remind you that they want your credit card number to log in, the site supplies the prefix of all Scotiabank accounts, 453 (as does the real page). As I usually do with phishes, I entered some bogus information to see how it would react. Most report a login error (sending whatever you typed to their masters) and redirect you to the real site so you can try again successfully.

However, this one goes a step further and uses a technique I talk about a lot in my public presentations about how modern scams work on the internet. Its designer figures, “Hey, I got a live one.. They supplied their credentials – what else can I get from them?”

ScotiaBank phishing page

Clearly the scammers want as much of your identity as you are willing to provide. If you believe it is actually your bank you are more likely to supply this information. My favorite part is that it asks for my “Social Number (SSN).” If they bothered to Google, they would realize that Canada doesn’t use Social Security Numbers, but Social Insurance Numbers. Hopefully, people tricked into getting this far will recognize the discrepancy and stop immediately in their tracks.

The last piece of this puzzle that correlates to most of the new phishes I’ve been seeing is that they all lead to the same hosting provider and DNS name. The WHOIS information for the company hosting the actual phishing site resolves to:

% Information related to ‘ –’
inetnum: –
descr: CMO Internet Dienstleistungen GmbH
descr: Postfach 1335
descr: D-72577 Dettingen an der Erms
descr: Germany
country: DE
admin-c: TM771-RIPE
tech-c: MS2621-RIPE
mnt-by: CMO-MNT
source: RIPE # Filtered

CMO is a German hosting company. The DNS appears to be hosted by a hijacked DNS server for a French construction company. This may be related to other reports of sub-domains being used to mask scam sites off of otherwise reputable domain names. The last four phishes I investigated have all referenced this same domain name.

Worst of all, today I received a legitimate email from a bank that I have a credit card account with. A word for financial institutions: STOP sending emails to your customers. You are making things worse. If you train your customers to think that emails from you are sometimes legitimate and sometimes not, they will continue to succumb to the cleverest of these scams.