Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Best looking phish I've seen in a long time

Best looking phish I've seen in a long time

  • Comments 12

A month ago one of our spam analysts came across a Bank of America phishing spam.  The thing about this one is that it is one of the best I've seen in a long time:

image

This is very legitimate-looking.  The logo is legitimate, it has correct grammar and the USA Olympic sponsor is a nice touch at the bottom.  The notification is plausible (irregular credit card activity), the name of the person is in the To: (as well as the email, ie, john.smith@example.com) and the account ends in a four digit number (which I changed). 

Even the disclaimers look legitimate; they are asking the recipient not to respond to the email and they challenge the user to login to their site and verify their Alerts history.  This is clearly a bet that most people don't do this.

The hook here is the telephone number.  The 800-number is a bit unusual for a spammer because it means that they have to go measures that most other spammers wouldn't - they need to set up a telephone answering service (a human would be best) instead of doing everything electronically and anonymously.  It's more trouble and more traceable than a typical phish.

Of course, this message is a scam.  An internet search yields this result which explains what is going on.  I think that this scam demonstrates the lengths that some phishers will stoop to and making things look real greatly increases the odds of yielding a profit.

Leave a Comment
  • Please add 8 and 5 and type the answer here:
  • Post
  • PingBack from http://wordnew.acne-reveiw.info/?p=1802

  • Terry,

    You point out all of the indicators that make it look legit, but none of the ones that make you think that it was a phishing scam. From what you've posted, it looks legit. Bank of America really does own myfraudprotection.com and that number belongs to FIA Card Services, the provider of services for many credit card issuing banks.

    Now if the actual links went to some other site when clicked on, then I'd say it's a phishing scam. :)

  • My husband called the number on a very similar notice (by mail) from myfraudprotection.com with a bank of america logo and was hung up on when he started questioning the person who answered the phone.  He was asked many personal questions for "security purposes" but as soon as he asked for an explanation, the person hung up on him.  We assumed this was not a legitimate operation because of this.

  • This is not a phish.  There were some aspects of the process that did make me wary.  However, to address my concerns, instead of  clicking on the links provided by the email, I used the link that I had bookmarked to take me to my account online.

    The online account has a couple of security features that I verified were what I specified when I created the account.  I even made sure to enter an incorrect password to be denied as well since a fake site would not be able to know if the pw provided was correct.  It correctly denied me.

    Secondly, once I was logged in, I was given the same information as the email and also referred me to myfraudprotection.com.  Now, when myfraudprotection.com started asking me for more identifying information, I started to wonder again.  So I backtracked and confirmed the validity of the certificates being used to secure the HTTPS connection, both to the Bank of America website and myfraudprotection.com.  Verisign did confirm that they were made by Bank of America.  So, reassured again, I entered the identifying information.

    It showed me the suspect transactions and I did confirm that one of the transactions were illegitimate while the rest were valid.  This also reassured me as a fake site would not have valid transactions listed with invalid ones.  So I went through the process of canceling my card.

    I followed up by calling the 800 number and, after going through the necessary ID rigamorole, they confirmed the account status and answered some additional questions, some of which they could not have answered if they did not have access to the account already.

    If it's a phishing scam, it's really sophisticated and, boy am I screwed.  (However, that would also mean that Verisign's or BOA's security reputation is on the line, because, if it is a phish, then either Verisign issued certs to an illegitimate user or BOA's certs have been compromised.)  But I am confident that the confirmation approach that I took, while not perfect, did confirm the legitimacy of the notice and of the credit card cancellation.

    One of the more effective things that you can do to confirm the legitimacy of the site is to enter what you know is incorrect information (e.g., enter the CC Security code incorrectly, or the expiration month or year, or your password).  A legitimate website should give you an error and give you the chance to correct it.  If it lets you in with what you know to be incorrect information, then that would be a red flag.

    Well, I should see within 10 days, either I will have new cards or will be starting ID recovery tasks.

  • I received several automated phone calls at an old phone number about possible fraudulent activity before then receiving a letter which had the BOA logo at the top and listed my credit card number.  The letter didn't look legit to me because it was all black and white--even the BOA logo.  I logged into my online banking and chatted with a rep who advised me to call their 1-800 number.  I found out that the letter was legit (and the phone calls had been also), and that someone had attempted to charge $270 to my credit card, which interestingly enough I had never activated.  BOA denied the charge.  I have now canceled that card and made sure BOA has my current phone number on record.

  • T Ferrer's comments have loopholes:

    1. entering incorrect password and seeing it denied is NOT an indication of safety -- the phishers could be doing a "man in the middle", connecting in realtime to the real site and testing the password there.

    2. even if the website in the email is legit, the phone number in the email might not be.

    My take after half an hour of reviewing all the online evidence: most likely, this is a scam, and B of A is not very helpful about warning about it on their main site, since they ought to specifically list both the good and bad phone numbers. Or, unlikely but possible, it's legit, and B of A is really stupid about not making that obvious (by listing the phone number on their own site). But if it's legit, who is motivated to post all the comments saying it's not? So all in all, there is a good chance it's really a scam.

  • When I called the number on the back of my BofA card, they told me to go to myfraudprotection.com.  So either they're redirecting my phone calls or it's legit.  And I don't think they're redirecting my phone calls.

  • The website is legit.  Of course someone phishing could also send you a phish email that looked just like this one.

    If you have any concerns about the site you can also access it through myfraudprotection.bankofamerica.com

  • This post really needs to be deleted. I just wasted 15 minutes on the phone with BofA trying to verify the site's legitimacy because this post cast further doubt on the site which I already thought looked phishy. MyFraudProtection.com *IS* a legitimate site, owned by Bank of America. Look it up on GoDaddy.com if you doubt this. Plus, I just had it verbally verified to me by a BofA customer service rep that I reached by calling the number of the back of my card.

  • The site is real. I was also very wary when I received an e-mail and visited the website. I went so far as to hover over the submit button but then played it safe and logged into the regular bank site and, sure enough, my account had a hold on it. I then called the number on the back of my credit card and was told the same information (that there had been irregular charges on my card) -- after verifying the unauthorized charges (some bogus online dating junk) I got through to customer service and we are working it out.

    Cheers,

    Toby

  • I just received two letters from Bank of America from the Fraud Detection Department.

    The first letter was asking me to call 1-800-635-0581 and the second letter was asking me to call 1-800-427-2449 or visit www.myfraudprotection.com.  When I called the number, I noticed something strange asking for the full account number and the social security number.  Instead, I called the number behind my Visa card and Bank of America told me this letter was not from them.  I am investigating a bit about what is going on, however I would recommend to be careful with this letter.

  • This site is legit.  I agree it may look like a scam, but it really is B of A.

Page 1 of 1 (12 items)