| In a new twist on phishing, savvy would be Internet gangsters have found a new way to phish, with new bait. Internet security company Websense has reported a new twist on phishing that uses the added vector of having users phone a tellephone number to confirm the account information. The main technique used in phishing attacks is of course Social Engineering, that which entices the user to preform some action they feel is safe, and to their benefit. By adding a secondary form of contact via phone, this only gave the users that much more confidence to give out their information. Below is a copy of the initial email: Dear Customer, We've noticed that you experienced trouble logging into Santa Barbara Bank & Trust Online Banking. After three unsuccessful attempts to access your account, your Santa Barbara Bank & Trust Online Profile has been locked. This has been done to secure your accounts and to protect your private information. Santa Barbara Bank & Trust is committed to make sure that your online transactions are secure. Call this phone number (1-805-XXX-XXXX) to verify your account and your identity. Sincerely, Santa Barbara Bank & Trust Inc. Online Customer Service Upon phoning they were greeted by a recording that instructed users to enter their 16 digit account number, and as the recording does not sound complete, we would also guess that users we asked to provide a PIN number as well. The attackers did not even need to set up a sophisticated system, as the decoding of the tones inputed are easily decoded back into real numbers. As more Internet users are [slowly] starting to become aware of phishing style of attacks, we belive we will see more of this "double-edge" attack to become more prevalent.
|
