Prattle Me A Scam, Scumbag

Apropos of probably the fact that I recently opened a new line of credit, I’ve been phished not once but twice in as many days.

If you’re not up on your InfoSec terminology, phishing is a fraudulent attempt to obtain confidential information. It is a cybercrime perpetrated by someone posing as an authorized entity for the purpose of luring unwary individuals into disclosing sensitive data such as usernames and passwords which the scammer can then use illicitly.

The target is typically contacted via email, telephone or text message disguised as legitimate communication. Save reporting it to the institution that was spoofed–in my case, Wells Fargo bank–there’s not a whole lot can be done about it. (Assuming you did not fall for the con, that is, in which case that is an entirely new level of misery) I’m writing about it as a public service to alert readers that phishing scams are becoming increasingly sophisticated. It’s not enough just to be aware phishing exists. In fact, in order to protect yourself, you have to dig a little deeper than obvious red flags that bludgeon you with comical errors.

At first glance, the two phishing attempts that targeted me looked absolutely legit. Even the telephone numbers checked out but then I’m quite sure the criminal counted on the fact that most people would rather use their shiny eight hundred dollars worth of smartphone technology rather than placing a tired old, antiquated phone call.

Further, there was none of the usual grammar and spelling errors which are part and parcel of a phish attempted by a criminal who does not speak English.

For example, a typical phishing expedition would have included something along the lines of:

If you havent recieve you card call us at 800-WE-GOODE.

Or some other obvious grammatical and/or spelling error.

And a less discerning person may have taken the bait simply by virtue of the fact that not only was his name included in the greeting but it was also spelled correctly rather than the generic Dear Valued Customer which is SOP for scams of this nature. You may be wondering how a scammer would know your name and that you have accounts at Wells Fargo bank but hold that thought.

Behold the Scumbaggery

Exhibit Alpha – Activate Your Card

Exhibit Bravo – Deposit Your Check with a Smartphone

Given my natural state of vigilance and suspicion combined with a heaping helping of information security as a side gig, I don’t want to say that it is impossible to scam me but, in reality, it will be quite the frosty day in Hell when I’d be dumb enough to click on a link contained within an unsolicited message especially from a high profile bank that encouraged me to activate a credit card and another link in another message to deposit a check with a smartphone. Ain’t happenin’, Jimmy. And any bank that sends such correspondence to you should be reported to the state and federal Attorneys General offices accordingly.

Returning to the question of how a scammer would know your personal details such as name and accounts, the answer is they don’t. At least, not usually, unless, of course, your identity has been compromised. But Wells Fargo has a significant presence in financial markets sufficient for scumbags to gamble (and usually guess correctly) that a satisfying portion of their target audience probably would. And even if you did not, there are those out there who may still click on the links anyway because they mistakenly believe that they have hit the FICO jackpot–

Hey, I don’t even have an account at Wells Fargo and I never applied for credit but they want to give me free money, woo hoo! Let me click on that link right now and give my social security number, username, password AND mother’s maiden name! What could possibly go wrong?

Even the return address domain seemed kosher but still smelled like unadulterated dog shit to me.

Always check the headers

A quick trace and peek into the WHOIS database yielded that connect.wellsfargoemail.com resolves back to Cheetahmail which appears to be a legitimate business entity. And presumably, the Cheetahmail domain has been spoofed/hijacked for the purpose of scamming unsuspecting consumers, but I have no way of knowing for sure. Maybe the administrative contact named below in the public record spends his free time perpetrating cybercrime?

Suffice to say, after having forwarded both phishing attempts to Wells, I have not received a response nor do I expect to mostly because the fraud department does not inspire confidence. While I was researching the connect.wellsfargoemail.com domain I found a previous thread in @Ask_WellsFargo twitter feed and its operator either could not or would not answer the question whether connect.wellsfargoemail.com even belonged to the bank. Shouldn’t an account named “Ask Wells Fargo” possess fundamental knowledge about the organization it purports to speak for on social media?

A logical person would assume that Ask Wells Fargo would at least be peripherally aware as to what domains Wells Fargo actually owns, but you’d be mistaken if you thought the official twitter feed served any other purpose than mindless, happy, shiny marketing drivel which is exactly why you have to possess a working knowledge of what are and where to find email headers. In fact, stay tuned for an upcoming tutorial on that particular subject matter. Until next time, don’t click on any links from within your email, especially for special deals and services from financial and banking entities.

Prattle Encore|The Thriving Fraud Economy

The following was originally published 4 October 2010.  In light of the Epsilon data breach,  Prattle is republishing.

According to the 2009 Verizon Business Data Breach Investigations Report, 285 million consumer records were compromised in 2008 –more than the previous four years combined.  As more  consumers come to increasingly (blindly) rely upon mobile phones for banking and other financial transactions,  Internet and mobile phone scams have become a billion dollar  enterprise.  The bad news is that the continued emergence of sophisticated fraud techniques promises that data breach statistics will continue to increase exponentially.  The good news is that most breaches are avoidable provided that the proper precautions have been taken.  By keeping yourself informed of how criminals operate, you will mitigate the risk that you will become the next victim.

Let’s begin with the basics.  Back in the day, the practice of obtaining confidential information fraudulently was referred to as social engineering.  Old skool hacker, Kevin Mitnick, was the poster boy of this con. Unsuspecting individuals and businesses were contacted via telephone, and, if the criminal was smooth enough, he was able to pass himself off as a repairman or some other person who was entitled to sensitive data.

Back then, individuals and businesses were about as technically savvy as a box of rocks and so conning them out of confidential data was as easy for people like Mitnick as it is now for Wall Street bankers to purchase a politician. But social engineering has long since gone from a mere computer hack and telephone con to phishing, vishing and smishing.

Types of Scams

Phishing <<  A well known computer phish is the Nigerian advance fee email scam.  A phish is essentially an attempt to acquire sensitive data such as credit card and bank account numbers via email.

This popular tactic is favored by criminals and is designed to harvest your data fraudulently by spamming you with email that appears to be from your banking institution and/or credit card company.  The email  contains a link that the hapless victim believes will take him to his account, but the reality is that the url is a redirect to the criminal’s own website that was created for the express purpose of fooling you into revealing your username and password.

A good way to head off this scam is to be sure that know your financial institution’s security practices and policies before you click on a link within a questionable email. Because computer phishing is a regularly occurring activity, it won’t be difficult to find the Fraud Information section on your financial institution’s website. The FTC also has a very good primer on ID theft found here.

Vishing << (Voice + phishing = Vishing) Is a form of phishing except victims are contacted via a live or automated phone message in an attempt to lure them into providing confidential data so the criminal can then use it to log into the victim’s account and transfer money to himself.  Here is an actual vishing attempt recorded by a well known bank that has been recently hit by vishing attacks.

You can learn to protect yourself from vishing attacks by reading more here.

SMiShing <<  (Short Message Service [texting]+ phishing = SMiShing) Another form of phishing, smishing uses cell phone text messaging to deliver the bait to get you to disclose your personal information such as account number, SSN, CVV code, PIN & other info. The method used to capture your data is usually a website URL, but it has become common practice to send the victim a phone number that connects to an automated voice response system.

Once you call the number provided, you’ll hear a message along the lines of “Notice:  This is an automated message from (your financial institution”s name here) that your (name of card) has been suspended. To reactivate this card, please enter in your account number and password. “

This information is then used to create a duplicate credit and/or debit card.

Of course, if you’re banking with Farmers & Merchants bank, and, you receive a text message from UBetcha We’re Too Big To Fail bank, then this particular SMiSh will in all likelihood result in you scratching your head and wondering WTF.  But if you actually do bank with UBetcha, then you may believe the text message is legit.

Learn more how to protect your phone here.

What You Can Do

While it’s not possible to anticipate and/or prevent every attack, knowing how criminals operate and the ruses they use to fleece unsuspecting consumers is a big step to avoiding having your identity stolen. In addition to reading this website, the FTC also has an informative page that will help ID popular scams that you may encounter.

Update – The Thriving Fraud Economy Marches On

4/4/2011 >>

If you’ve been receiving email notifications regarding a database breach for various brands, it’s because Epsilon -the world’s largest permission-based email marketer- was hacked. So far, the breach seems to include names and email addresses, but no financial information, but be advised that you are not safe.  From here on out, you can expect to see a whole lot more scams (such as the above referenced) to get you to disclose your confidential data.

Click here for the most current list of Epsilon’s clients for 4/4/2011.

©2010 Peyton Farquhar™ and Prattle On, Boyo™. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Peyton Farquhar™ and Prattle On, Boyo™ with appropriate and specific direction to the original content.