Terry Zink's Anti-malware Blog

PingBack from http://wordnew.acne-reveiw.info/?p=1802

Terry,

You point out all of the indicators that make it look legit, but none of the ones that make you think that it was a phishing scam. From what you've posted, it looks legit. Bank of America really does own myfraudprotection.com and that number belongs to FIA Card Services, the provider of services for many credit card issuing banks.

Now if the actual links went to some other site when clicked on, then I'd say it's a phishing scam. :)

My husband called the number on a very similar notice (by mail) from myfraudprotection.com with a bank of america logo and was hung up on when he started questioning the person who answered the phone.  He was asked many personal questions for "security purposes" but as soon as he asked for an explanation, the person hung up on him.  We assumed this was not a legitimate operation because of this.

This is not a phish.  There were some aspects of the process that did make me wary.  However, to address my concerns, instead of  clicking on the links provided by the email, I used the link that I had bookmarked to take me to my account online.

The online account has a couple of security features that I verified were what I specified when I created the account.  I even made sure to enter an incorrect password to be denied as well since a fake site would not be able to know if the pw provided was correct.  It correctly denied me.

Secondly, once I was logged in, I was given the same information as the email and also referred me to myfraudprotection.com.  Now, when myfraudprotection.com started asking me for more identifying information, I started to wonder again.  So I backtracked and confirmed the validity of the certificates being used to secure the HTTPS connection, both to the Bank of America website and myfraudprotection.com.  Verisign did confirm that they were made by Bank of America.  So, reassured again, I entered the identifying information.

It showed me the suspect transactions and I did confirm that one of the transactions were illegitimate while the rest were valid.  This also reassured me as a fake site would not have valid transactions listed with invalid ones.  So I went through the process of canceling my card.

I followed up by calling the 800 number and, after going through the necessary ID rigamorole, they confirmed the account status and answered some additional questions, some of which they could not have answered if they did not have access to the account already.

If it's a phishing scam, it's really sophisticated and, boy am I screwed.  (However, that would also mean that Verisign's or BOA's security reputation is on the line, because, if it is a phish, then either Verisign issued certs to an illegitimate user or BOA's certs have been compromised.)  But I am confident that the confirmation approach that I took, while not perfect, did confirm the legitimacy of the notice and of the credit card cancellation.

One of the more effective things that you can do to confirm the legitimacy of the site is to enter what you know is incorrect information (e.g., enter the CC Security code incorrectly, or the expiration month or year, or your password).  A legitimate website should give you an error and give you the chance to correct it.  If it lets you in with what you know to be incorrect information, then that would be a red flag.

Well, I should see within 10 days, either I will have new cards or will be starting ID recovery tasks.

I received several automated phone calls at an old phone number about possible fraudulent activity before then receiving a letter which had the BOA logo at the top and listed my credit card number.  The letter didn't look legit to me because it was all black and white--even the BOA logo.  I logged into my online banking and chatted with a rep who advised me to call their 1-800 number.  I found out that the letter was legit (and the phone calls had been also), and that someone had attempted to charge $270 to my credit card, which interestingly enough I had never activated.  BOA denied the charge.  I have now canceled that card and made sure BOA has my current phone number on record.

T Ferrer's comments have loopholes:

1. entering incorrect password and seeing it denied is NOT an indication of safety -- the phishers could be doing a "man in the middle", connecting in realtime to the real site and testing the password there.

2. even if the website in the email is legit, the phone number in the email might not be.

My take after half an hour of reviewing all the online evidence: most likely, this is a scam, and B of A is not very helpful about warning about it on their main site, since they ought to specifically list both the good and bad phone numbers. Or, unlikely but possible, it's legit, and B of A is really stupid about not making that obvious (by listing the phone number on their own site). But if it's legit, who is motivated to post all the comments saying it's not? So all in all, there is a good chance it's really a scam.

When I called the number on the back of my BofA card, they told me to go to myfraudprotection.com.  So either they're redirecting my phone calls or it's legit.  And I don't think they're redirecting my phone calls.