In early March 2008, we received the following email from National Credit Union Association (NCUA):
Dear Credit Union member,
You have received this email because you or someone had used your account from different locations. For security purpose, we are required to open an investigation into this matter.
In order to safeguard your account, we require that you confirm your online banking details.
The help speeed up to this process, please access the following link so we can complete the verification of your Federal Credit Union Online Banking Account registration information.
http://65.112.203.172/icons/update/NCUAlogin/
If we do no receive the appropriate account verification within 48 hours, then we will assume this Federal Credit Union account is fraudulent and will be suspended.
The purpose of this verification is to ensure that your bank account has not been fraudulently used and to combat the fraud from our community.
We appreciate your support and understanding and thank you for your prompt attention to this matter.
Thank you,
NCUA® Security Department.
The wording of the email and the IP numbers in the URL alerted us to doubt the legitimacy of this email. The link directed you to a page that closely resembles the legitimate NCUA site (see picture below of the phishing site that was taken down later in the day). The launching page asks for the name, card number, pin, and email. The rest of the links in the page points to pages in the legitimate NCUA site.
Our decision was to react by reporting this to the authorities. This was more involved than anticipated. Searching for “report phishing” in Google gave a result set of 271,000 links. We used the following from the first page of results:
You have received this email because you or someone had used your account from different locations. For security purpose, we are required to open an investigation into this matter.
In order to safeguard your account, we require that you confirm your online banking details.
The help speeed up to this process, please access the following link so we can complete the verification of your Federal Credit Union Online Banking Account registration information.
http://65.112.203.172/icons/update/NCUAlogin/
If we do no receive the appropriate account verification within 48 hours, then we will assume this Federal Credit Union account is fraudulent and will be suspended.
The purpose of this verification is to ensure that your bank account has not been fraudulently used and to combat the fraud from our community.
We appreciate your support and understanding and thank you for your prompt attention to this matter.
Thank you,
NCUA® Security Department.
The wording of the email and the IP numbers in the URL alerted us to doubt the legitimacy of this email. The link directed you to a page that closely resembles the legitimate NCUA site (see picture below of the phishing site that was taken down later in the day). The launching page asks for the name, card number, pin, and email. The rest of the links in the page points to pages in the legitimate NCUA site.
Our decision was to react by reporting this to the authorities. This was more involved than anticipated. Searching for “report phishing” in Google gave a result set of 271,000 links. We used the following from the first page of results:
- United States Computer Emergency Readiness Team (US-CERT) - A government agency responsible to protect the nation against cyber attacks among other things.
- PhishTank – A community based anti-phishing service. The Opera web-browser and certain other popular internet applications like Yahoo Mail use data from PhishTank for their anti-phishing filters.
- Anti-Phishing Working Group (APWG) – A volunteer organization that fights phishing.
- CastleCops – PIRT (Phishing Incident Reporting and Termination Squad) – An organization run by CastleCops with support from the community.
Reporting was fairly painless with only PhishTank requiring a sign-up. As for acknowledgement, it was practically non-existent. The PhishTank user interface is superior with an immediate status on whether the site has already been submitted and whether it is already classified as a Phish. When we submitted the offending site, the feedback was that additional votes were required for it to be confirmed as a phishing site. Within two hours the site was established as a phishing site. The CastleCops and APWG launching pages provides information on the partners that use their feeds and that included US-CERT. PhishTank on the other hand publishes a free Application Program Interface (API) that anyone can use.
Within 30 minutes of our reporting the site, FireFox and Internet Exploer (IE) web-browsers both began flagging the launch point as a phishing site. The Opera web-browser on the other hand failed to flag the site even after an hour. Within about three hours, the site was brought down. We do not know the nitty-gritty behind this operation, but the end result was satisfactory. Even so, we are inclined to believe the criminals got away with a number of valid card details during the first hours - their window of opportunity.
Currently, Google's "Report a Phishing" and US-CERT's "Report Phishing Sites" web-pages are the best options to report such activity.
Last Updated: 01/2015.
Within 30 minutes of our reporting the site, FireFox and Internet Exploer (IE) web-browsers both began flagging the launch point as a phishing site. The Opera web-browser on the other hand failed to flag the site even after an hour. Within about three hours, the site was brought down. We do not know the nitty-gritty behind this operation, but the end result was satisfactory. Even so, we are inclined to believe the criminals got away with a number of valid card details during the first hours - their window of opportunity.
Currently, Google's "Report a Phishing" and US-CERT's "Report Phishing Sites" web-pages are the best options to report such activity.
Last Updated: 01/2015.
No comments :
Post a Comment