[Dshield] Banks Openly Inviting Email Fraud

wulfman wulfman at charter.net
Tue Feb 24 00:54:53 GMT 2004


And the news anchor shakes his head at the latest Paypal Phishing Scandel as
if to imply that only a complete idiot could be suckered by such a scam.

I had not noticed this aspect of bank Email until this posting, but it
appears to be dead-on the mark.

Email from a financial trustee should be required to be, signed with a valid
digital certificate, and encrypted for the security of the customer.
As lame as Windows has ever been for securing any aspect of email, such
things would at least be minimal safeguards against fraud.

What in heaven's name do they think is going to prevent someone from pulling
something like an MIM, pretending to be the bank.

A feasible scenerio might go something like this...

Trojan script kiddie sniffing traffic on his cable connection, notices a
batch of emails come in, in clear text of course, to a group of customers
from a major bank.. He then distributes an email to these same people with
an attachment which claims to be a Financial Security Plug-In.
Lets, say it does little more than display an interface requiring their
account name and password "as verification of any email transactions... For
the customer's saftey."
It then redirects any email addressed to the bank's email address to an
allias address invisible to the sender... even bouncing it off an overseas
proxy

At that point most if not all of the recips for that attachment would be
just pleased as punch that their bank is so dedicated to their security that
the social engineering portion of the game would be over and the
exploitation of their account would be in end-game phase.

The suggestion that a website be set up to publish this amazing lapse of
judgement by our financial institutions is a great one, and I'd be happy to
set one up.... Access for posting to it can be validated with any major
credit card and pin number.... Chuckle.


More information about the list mailing list