nGenuity

Get a Security Assessment

Bank of Whitman Phishing Scam

Tonight I received an interesting text message. It read as follows;

alert@bankofwhitman.com
(Whit)Alert ! Please Contact Bank0f
Whitman At : 877 727 O714 . Thank you .

Nobody in my family is a Bank of Whitman customer so to me this is an obvious phishing attempt. I figured I would call the number, record the message and post it here so that people could hear what the phishing scam sounded like.

I also noticed that if I called the number with two phones at the same time, one of them would go to voicemail. Based on a few attempts to call the number using only one phone, and rolling to voicemail it's obvious that there are others calling the number. Hopefully they are smart enough to not provide their account number, expiration date and pin. At least the criminals were nice enough to not ask for the CVV.

You can download the recording here.

The Bank of Whitman has more information for their customers at http://www.bankofwhitman.com/index.asp?page=5136

filed under and Phishing View Comments

posted by Adam Baldwin

Dave Ramsey and the null byte

Phishers (and I’m sure marketing jerks too) love universal redirects. A universal redirect is when you visit a url that looks like one domain and it redirects you to a different site. They have their purpose, but if a site doesn’t implement protections properly it could be brand damaging. Especially in markets like finance where trust is very important, any erosion of trust can be very costly. The examples I’m about to provide can be prevented by having your website audited regularly.

The reason that phishers get away with what they do is that it’s easy to mimic the look and feel of a site, which builds your trust. We see a logo and certain colors and we respond appropriately. Companies put a ton of money into building these brands only to have that power used against them.  Now people are getting leery about clicking on just any link in an email or website, so if phishers can make it appear like you are clicking on a valid link and then whisk you away to their evil site all the better for their con.

So for a quick example. Let’s say example.com wants to keep track of who clicks on their partner site link. They might have something like.

http://www.example.com/redirect.cfm?siteURL=http://www.ngenuity-is.com

When you click on that link in theory it would record your entry in a log file and send you to ngenuity-is.com

Stop talking and get to Dave Ramsey already:

The reason I bring up daveramsey.com is because they have a similar redirect, are in an industry where trust is very important and have tried to put protections in place to prevent what I’m talking about here. If you mouse over the left hand navigation you will see that a few of the links go to a page that looks like this.

http://www.daveramsey.com/redirect/redirect.cfm?strPath=…

Dave’s team of crafty website ninjas figured that phishers would love to direct themselves anywhere so if you try and put in your own website after strPath it will just redirect back to the main site. That is where the trusty null byte comes in handy. Slipping in a single byte into the link and you have yourself a working universal redirect.

Example: http://www.daveramsey.com/redirect/redirect.cfm?strPath=%00http://www.ngenuity-is.com

The end.

filed under Null byte, Phishing, and Universal Redirect View Comments

posted by Adam Baldwin