Thursday, October 1, 2009

Phishing For Dollars

One of the dubious privileges of writing this column is the extraoordinary amount of e-mail I get, both fantastic and spam-tastic. It runs the gamut, from Canadian pharmacies that are located in China, hawking "real" chewabl Viagra, which Phizer doesn't make, to marriage proposals from worn-out, hovering-on-the-edge of starvation Ukranian women, and a few men, lauding my incredible grasp of international news and sports, which my writing clearly covers (sneer,) to my favorites - Nigerian scams, of which I've seen remarkably few lately and phishing attacks.

A phishing attack, for those out of the know, is an e-mail that purports to be legitimate, may appear to have been sent from a legitimate e-mail address and directs the recipient to click on a link contained within the e-mail in order to "re-enter" his "security information" or face "account suspension.

Sigh. People are actually stupid enough to sheepishly react, dutifully click on the link and enter every last bit of personal information requested. Which is why these things keep coming. For me, it's normally something from a bank or institution that's based out West or down South - I'm guessing that the Ukranian mobsters figure this part of our population to be most brain-dead based on their likely sundrenched-ness and overexposure to cranial UV. So, the "alerts" would be coming from scammers posing as Wells Fargo Bank (California), SunTrust (Florida), and even some bank that were shut down by the Fed near the beginning of the year. Odd - I thought they got CNN in Tiblisi.

Today, I received a phishing attack from "Bank or America." Here's what it said:

Dear Account Holder,

It has been reported to our online security team that there has been a false Bank of America message sent to all our customers. And we are now trying to rectify and protect all our online customers account from any unwanted transactions.

We have Programmed our Security and Database systems to alert us When any unauthorised transactions about to take place. We now require of you to register details to our upgraded security system to avoid Your account from being disabled by our security systems.

A confirmation of this will be sent to your residential address after 7 days of registring. We want to asure you that Your account will be safe guarded by our security new systems immidiately you register.
To do this you are required to click on the secure link below to be able to activate your online Security.:

[Bank of America Security Update]

Customer Service,
Bank fo America Online Banking


Failure to update your account within 24hrs of notice might lead to account being suspended and online access will be restricted.

Thank You.

What truly puzzles me is this: why do they go to all the trouble of formatting a very nice HTML e-mail and yet, not bother to recruit, or kidnap, as needs may dictate, an English foreign exchange student who just happened to drop in to Novosibirsk for the goat testicle festival (nice turn of phrase - get your tongue around that one) to check the grammar and spelling. Now, I'll grant you, corporate communications are not always correct - I see spelling and grammar errors often on official sites - but it's not all concentrated in a supposedly critical e-mail going out to millions of users. And such e-mails would be vetted by a dozen people in the marketing, management, IT and legal chain, many of whom I'm sure speaka d'Anglish.

Well, if the fact that you had received a odd e-mail with misspellings nad bad grammar didn't tip you off and you desparately clicked on the link to enter your information to "register details to our upgrade security systems", you'd find the massively long web page shown to the left, hosted under a .RU, or Russian, domain. Well, duh!

On the page, you would be prompted to enter every last detail not only of your banking information, but your social security number, phone number, driver's license number, next of kin, mother's maiden name, father's middle name, blood type, last sexual experience - okay, I exagerated on the last two items, but still. Might this not send up a flag or two? Hmm?? as Yoda would prompt. Fill it out not, you will.

As a good citizen and to satisfy my Inner Told-Ya-So Angst, I reported this to the bank. Too late for 71 year-old Millie Tonto of Meyerbrook, Illinois whose grandaughter just finished setting up Granny with a whole new Mac computer that's immune to viruses, so, It Must Be Safe. Yep, some Russian ho's spending poor Mildred's dough right now. As I type this. Now. Right now. Ca-CHING!

The bank immediately sent me two e-mails, one, and automated response and the other, from an actual human being, with contact information and everything. I bet newly-bearded Ken Lewis is gonna miss his team . . . I also looked at the e-mail header to see where the mail was coming from. Usually, it's an unknowing hosting reseller and I suspect that's the case this time, too, but I couldn't help myself. It was a golden opportunity to bitch at some guy in Mumbai. Ooo - more alliteration.

I clicked on the hoster's chat support (my hosting company has the same set-up, exactly - heck, might even be the same guy) and waited for a response from Vanaranapundu, also known as Nathan, in the Support Hosting biz.

I let Nathan know his company was in deep doo-doo. He was non-plussed. I goaded him - he told me it was a support issue. Mind you, I was chatting with Support. I told him he was comitting a crime by aiding and international fraud. Here's a view of the chat window as he made a hasty exit:

Your party has left this session! Hilarious!

So, I e-mailed support at this hhosting "company" who is, I suspect, a reseller. Poor guy. This is what their automated response said:
Thank you for submitting a support request. A summary of your request is below:

Details [Submitted 1-10-2009-07:24 ]

ID............: 412772
Viewing Key...: wSCTnsIanY

Name..........: Unregistered
Subject.......: Fwd: 4th Quarter General Update


Registered users may login to track the status of their request :

Thank you.

Clicking on that link gets you this:
What cha think? Should I register? Share more information with folks that don't have control over their servers, apparently? Just a guess and just an opinion, but I woulld say . . . NOT!

To be fair, hosting services can't really control the accounts they host until AFTER something bad happens. Like imposing a quota on outbound mail to slow the bleed of such an attack. But what I'm really talking about here is PR. If you're going to pretend to be corporate, respond in a corporate way, otherwise, you are now and forevermore low-rent.

And to Mrs. Tonto and the rest of your trusting souls out there, Natasha is taking delivery of a new SL 600 next week and she wanted to say, "SPASIBA!"