« Buy-A-Degree College Education | Main | Facebook Ruse Yet Again »

November 11, 2010

It has been awhile since I followed a phishing link, so upon receiving a few Bank of America phishing email messages today (and after verifying that the pages aren't harmful on their own), I thought I'd look to see what today's phisher is up to.

Bank of America logins normally have a two-stage verification process. On the first page, you enter your user ID; the second page then has what they call a Site Key, which is a photo that you had previously chosen from a group provided by BofA and some text that you enter. In theory, you are supposed to remember to verify that the image and text are the same that you had chosen/entered before typing in your password. One potential problem with this system, IMHO, is that the login process becomes so automatic for users, that most probably don't bother to verify the image/text combo, but use muscular memory to whiz past the second page by blindly entering their password.

But that's another story.

I was curious whether this phisher was doing anything to replicate the Site Key login process. A successful mimic would likely mean that the phisher was performing a man-in-the-middle type of attack, which is very difficult for typical users to identify (and more complex for the phisher). In this case, however, the phisher took the easy way out, providing a single-page verification form.

And what a form! If someone supplies the information requested — nay, demanded, since all fields were *'d as being "required information" — losing everything in their BofA accounts would be only the beginning of their identity theft troubles. Look at this list of fields:

• State (popup list)
• Online ID
• ATM or Check Card PIN
• Passcode
• (checkbox)Credit/Debit Card
• Credit/Debit Card Number
• Exp Date (popup lists)
• Code Verification Number
• Pin Number
• Full Name
• Address Line 1
• Address Line 2
• City
• State (popup list)
• Zip [sic] Code
• (checkbox)Checking or Saving Accounts Detail
• Account Number
• Routing Number
• Phone Number
• E-mail Address
• E-mail Password
• Social Security Number
• Date of Birth
• Mother's Maiden Name
• Mother's Middles [sic] Name
• Father's Maiden Name [sic]
• Father's Middles [sic] Name
• Driver License Number
• SiteKey Challenge Question 1 (pop up list)
• Answer of Question 1
• [The above repeated through Question 6]

What? They don't demand my shoe and hat sizes? It's also going to be kinda hard to supply my father's maiden name, since he never was a maiden.

This page, which has plenty of graphical hallmarks of a legitimate BofA web page, is being hosted within hijacked legitimate web sites. An image claiming the page to be a "Secure Area" doesn't match the lack of an SSL connection. The form data is passed along to a PHP program — a remailer called ZolaHacker.php — inserted into the site by the hijacker. In other words, the crook doesn't have to go any further than checking his inbox to pick up the phished data. Unless he's really stupid, I'd wager that the destination inbox is for a free email account with phony registration data.

There really isn't anything new here. A phisher was a phisher will be a phisher.