Vishing: Dialing for Dollars, Part II
Security Fix received a copy of a new scam e-mail targeting Bank of America customers that is likely to con quite a few folks before it is shut down.
Sure, Bank of America is hit by this sort of thing all the time. It's the fourth most popular target for "phishing" scams that use e-mail to lure people into giving away their data at counterfeit sites, according to stats just released by PhishTank. But this is one of the more convincing voice phishing or "vishing" attacks I've seen yet.
Vishing scams start with an e-mail lure that asks the recipient to call a specific 1-800 number to settle some matter with his or her account. The numbers usually are connected to an automated system that asks the caller to key in data from a credit card -- the 16-digit account number, the expiration date and the three-digit security code on the back.
This new Bank of America scam has the same elements, but its execution is nearly flawless (unlike the majority of previous vishing scams Security Fix has seen, which either bungle the voice mail system or use a lure full of poor spelling and grammar). It informs the recipient that his account has been suspended because it was used to purchase "obscene or certain sexually oriented goods or services." From the e-mail:
"We are hereby notifying you that, after a recent review of your account activity, it has been determined that you are in violation of Bank of America's Acceptable Use Policy. Therefore, your account has been temporarily limited for: hotjasmin.com cam shows. In order to remove the limit please call our TOLL FREE number [omitted]." That domain is registered to a guy in the Netherlands, but it's currently inactive.
I recorded a short snippet of the first 45 seconds or so of the automated phone message used in this attack. If you enter the requested information, the voice then asks for your bank PIN: "Bank of America asks for your PIN in order to verify your identity. This also enables us to assist federal authorities in order to prevent money laundering and other illegal activities."
Generally, it's a good idea not to even dial these bogus 1-800 numbers, as you're essentially giving the scammers your phone number, a key piece of your personal data. It's also a good idea to be very suspicious of e-mails that ask you to call any number. When in doubt, open up a browser Window and find the official Web site of your financial institution, then look up the customer-service number listed there.
The comments to this entry are closed.