A new phishing variation has appeared. Crooks cracked web servers for three banks in Tallahassee, Florida and redirected login URLs to offshore servers. The banks were Capital City Bank, Wakulla Bank, and Premier Bank.
When the Tallahassee Democrat reporter called me, I made up the attached graph to illustrate connectivity to the servers for those banks. All three banks were served by two servers. Both servers are owned and routed by the same local Tallahassee provider, ElectroNet. Both servers run Microsoft Internet Information Services (IIS). The first story didn't mention these details, but the second story did. The second story quotes the hosting provider as saying that they detected the problem and stopped it within an hour.
This sort of thing should be easy for such providers to detect; just run automated tests frequently that compare URLs to what they should be. It is, unfortunately, very hard for bank customers to detect, since the bank site looks just like it always did. This scam is rather like the one of several years ago in which crooks made up fake ATM front panels that they placed over the real ATMs, so that customers were fooled into thinking there was nothing amiss. The customers even got their money as usual, but the crooks got their information for later withdrawal.
This new scam is like phishing without the intervening electronic mail step. Because it is the bank's own web (hosted, in this and no doubt many other cases) server that is compromised, the customer has even less reason to suspect anything amiss. Fortunately, it should also be easy for banks or their hosting providers to stop.
The crooks didn't get a lot of money, but they don't have to: if they do this successfully to a few hundred small banks scattered around the world, they can make enough money to retire and disappear. It does provide a sense of deja vu to see the kind of scam that was predicted in William Gibson's 1985 science fiction novel Neuromancer playing out in the real worlld. It's taken 20 years, but nowadays we are living in the Matrix.
-jsq
Hi.
I read this article here in Brazil and I wanna know if the problem were caused by a IIS security problem or by peopleware.
Because many times, companies like Microsoft releases patches and updates, but the clients don't install them.
Thanks.
Posted by: Herleson Pontes | March 30, 2006 at 09:57 AM
Although I'm very experienced in security and hacking techniques, I'm pretty scared about this. I was expecting an attack like this to come... but now I'm wondering "how can I protect myself from these scams?"
I'm waiting to see how were the systems compromised.
Posted by: Matija Vidmar | March 30, 2006 at 10:07 PM
RE: "how can I protect myself from these scams?"
There's only one solution on the market that will completely protect you from these scams - Comodo's Free Verification Engine www.vengine.com. It works today with 70,000+ banks. Banks can also simply install these Content Verification Certificates to allow their online banking customers to verify legitimate web content by simply mousing over the logo or login box. You can read or inquire about CVC's at www.contentverification.com
Posted by: Andrew Pynes | April 03, 2006 at 11:39 PM