I was going about my business today and I received a text message. Not uncommon, I get several each day. This text message however addressed by as a BofA customer. The assumption is BofA stands for Bank Of America and the first red flag went off as I am not a customer of Bank of America. As a security professional I dug deeper.
Sure enough there were enough indicators to tell me it was 100% a scam but I wanted to find out what it was. After determining that see if I could shut it down. I took screenshots and looked at the link they sent me. I safely followed it and it loaded a convincing login page for Bank of America but it was not on a Bank of America domain.
It turns out the website was an Italian Bee Keeper site and apparently running a compromised version of WordPress or has a plugin that was compromised. The hackers then loaded this login page(s) secretly to not disrupt the front end but send all users for this scam to it. I emailed the website and gave them all the information and I hope they read it, clean up the files and update their website.
Let’s breakdown all the red flags so you don’t fall for this.
RED FLAGS –
- Bank text messages, in the United States, don’t come from phone numbers. They come from Text numbers like 983-24 or something.
- Typical ‘We detected suspicious activity on your account’ gag. ALWAYS distrust these!
- They sent a link. If it was legit, and the bank wouldn’t text you in the first place, they would instruct to call them. Even if they do, do not call the number a text message provides you. EVER! Call the number on the back of the card to 100% ensure you are calling the bank.
- The link they send is a tinyurl. This is primarily used to obfuscate (hide) the real URL. Always distrust URL shorteners in legitimate business situations. There is a website that you can cut and paste shortened URLs to that will tell you where they go before you actually go there – http://www.checkshorturl.com/.
- The text uses an abbreviation of BofA and doesn’t call out Bank of America. Unprofessional construction of wording is a harder to detect but obvious red flag.
- No information about you or your card in the text. Mr. Blogger, card ending in 9876, etc… a blanket text that can be sent to thousands with no personalization is another flag.
RED FLAGS –
- A legitimate looking login page for Bank of America. Most would look right at the login part and start logging in. You should ALWAYS look at the webpage in the address bar first. Fattoriadellape.com? That doesn’t look like a Bank of America domain.
- When you click on the address bar the whole URL will be shown. In this case it’s this (I censored it to break it, DON’T GO THERE YOURSELF) – http://fattoriadellape.com/xxxxxxxx/SimplePie/XXX/Declaration/1/LoginMB.php?
- HTTP not HTTPS. Every single site you have any money tied to whether it’s retail, banking, a service, game site should all be HTTPS in the website. If it’s not, get out of there.
- The URL directories are clearly a hacked WordPress site. Meaning the login page is not legit, it’s hacked, and if you actually logged in you just gave your real credentials to the hackers. Bye bye money.
There you go. One simple text message to the untrained, naive individual will freely give criminals the credentials to their account to wipe them out. All you need is a little awareness of the crimes that are out there, a dash of skepticism on everything digital and a touch of hesitation and you can avoid these. Unfortunately these work and work often. All I can do is help spread awareness, get the word out, hope people read what write and listen to the Security In Five podcast to stop people becoming victims.
Be Aware, Be Safe.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.