I was at a talk by a spam researcher who made the point that although there are some complicated identify theft scams happening on the Internet, most are very, very simple. Yesterday, I received 3 emails supposedly from Scotiabank. Each one had a similar format, different subjects ‘scheduled security maintenance’, ‘securing customer data’. Standard fraud email. I would hope that most people today should realize it as fraud, mark it as ‘Junk’ and move on with life. The first flag for me was that I am not a Scotiabank customer. Second, banks never do this via email (and if your bank does you should change banks). Third, I received 3 of them to three different emails that I use to sign up for forms and the like on the Internet. The email had the standard URL for the user to click which appears to be a Scotia bank link. If you hover your pointer over the link, you can see that the actual link is different. I have highlighted the actual link in light green in the screen shot below. The actual site on the URL is ‘http://www.scotiaonline.scotiabank.com.dll.ec’.
I decided to take a few moments and see how ‘complicated’ this scam was. So far they rated very low on the ‘covertness’ scale. I fetched the URL in the email in a way that no code would execute or do anything nasty and took a look at it. It was standard HTML all compressed so there was no indentation or formatting, probably a simplistic attempt at obscurity. I ran that file through an HTML formatter and took a look at it. A simple form requesting information that your bank would already have. I pulled back the style sheets and graphics the page requested to ensure they did not have any malicious code in them. They didn’t.
Confident that all was reasonably safe so far, I went to the site with my browser. I was happy to see that the site had already been flagged by Mozilla as a fraud site and my browser immediately warned me.
I ignored the warning and proceeded to the site. A professional form appeared from ‘ScotiaBank’ requesting my card number, 3 codes that I assume Scotia customers use to authenticate themselves when using online banking services and some personal details.
If you fill in this form, it simply submits the information to the ‘fraudsters’ and I assume they can quickly access and transfer money from your bank account possibly automated via a BotNet. This is not an attempt at identity theft so much as it is an attempt to harvest information about accessing your account. I suspect that submitting data to this form, your bank profile and associated accounts would be accessed in seconds most likely from an automated program where money would be transferred or some fraudulent transactions would occur. The fact that they did not ask for a social insurance number on the form, means it is probably not an identity theft scam. My guess is that requesting a social insurance number most likely would raise more suspicion with some targets and probably would require the target to go look up what their number was, giving them more time to think before submitting the form. If the goal is to get access to the accounts and it is not required, why ask for what you don’t need and raise suspicion.
This is a simple attack and the technical knowledge to do it is minimal, making it easy for just about anyone with a computer and access to the internet to do it. It may be more complicated on the backend, bots to harvest and send emails, bots to automatically access the account and transfer money from users that submit proper data.
The talk from the spam reasearcher seems accurate, at least with this selected example. The attack was pretty simple although disappointing. I was hoping for more technical wizardry and smarts.
