[Dshield] Just received (phishing)

Knust, Joshua Joshua.Knust at hq.doe.gov
Fri Feb 3 15:38:24 GMT 2006

Some additional understanding of small bank IT operations may help.

I have reason to believe a bank I use was compromised (or a downstream vendor they use). For my personal email, I use a unique email address for every online registration, order or form that requires email (since I own the domain and mail server). A pseudo honeytoken approach, if you will, as I want to know who sells my email (you'd be surprised). For example, I registered something like josh.mybankname102004 at mydomainname.com.

Just a few weeks ago I started receiving financial related spam to that specific address (mostly penny stock "advice"). I clearly established it did not result from a dictionary attack or harvesting attempt on my domain either, and that email was never used prior - just suddenly started receiving financial spam only. I contacted my bank and explained, and they are investigating. Since they are making good faith efforts, I will not disclose their name.

I have also done bank penetration testing in the past.... so I know the inner workings a bit. In layman's terms, I have found that most smaller banks are more like a franchise front end and require a larger central processing facility that is shared by many banks (that are not the same bank). You can bet that many small banks ship off check image processing, mainframe duties, reconciliation, etc. and that your email registered with them online may be in one large  database serving multitudes of banks. This is especially true of online banking (think ASP model).

I'd be interested in chatting offline to see if this is related. In approaching this bank... do some research on honeytokens (protecting IP, theft, internal fraud, etc.) and you should be able to convey your concerns. Large banks use honeytokens... for example, a credit card number with specific, but false, customer info is stored in a DB... and nowhere else. So if one day it is used.... you may be able to determine that DB is compromised even on an inside job where an admin leaves little evidence and is directly accessing the DB. There are some wild uses of honeytokens if you research it for awhile. 

All of this email is my personal opinion and in no way representative of, or related to, my current employ.


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of J Lake
Sent: Friday, February 03, 2006 6:54 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Just received (phishing)

On Thursday 02 February 2006 02:04 pm, Aaron Lewis wrote:
> Phishing attempt for Town North Bank in Texas. I received an email linking
> me to a site asking for all the account information. I'm not a customer
> there but the URL I was lead to is

This reminds me to ask a question to the group: 

Someone in my organization was taken in by a phishing scam this week.
When I asked him about it further, I found out that the e-mail address that
the phish was sent to is not an address in general circulation. I think he 
fell for it because that address was used by the bank and only one or two
other people had it.

So my question to the group is, should I imply from this that the bank's
information was compromised in some way? It is a really small, local bank. I 
can't think of any other reason for someone to associate that bank and his 
uncirculated e-mail address without figuring that the bank either losing that 
information, or selling it. Can anyone help me understand this better?

Here was the link by the way, it's dead now:
> Please confirm your email by clicking the link below :
> http://cash4erotik.de/.p/Onlinebanking/

Learn about Intrusion Detection in Depth from the comfort of your own couch:

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list