The attack is evident from start to finish

Mar 21, 2015 09:11 GMT  ·  By

There are evident tells when it comes to phishing attacks, but cybercriminals don’t seem to mind them, which is a great thing for the targets.

A fresh operation recently detected by security researchers aims at stealing sensitive financial information from the clients of Bank of America, but the amount of data demanded from the potential victim is bound to ring the alarm.

Too much information

A web page impersonating the bank’s site has been set up by the crooks, claiming that online banking information needs to be verified in order to re-activate the allegedly suspended account.

The user is instructed to download a file to complete the task, but pushing the button redirects to a different website, which contains forms for collecting the confidential details.

This behavior should raise suspicions from the get-go, but if the process is continued, the fact that all the data necessary for securing the account is requested should be reason enough to abandon the task.

Christopher Boyd from Malwarebytes says that the crooks ask for the username and password of the banking account, name, date of birth, social security number, driver’s license number, as well as the credentials for the email account.

Card data also requested, some images on the site are broken

“That’s not all,” he says in a blog post, “there’s also 3 security questions and payment information / address to complete the carefully laid out steps.”

Payment information includes CVV (card verification value), card number and its expiration date, all sufficient for making fraudulent purchases at most online shops.

Basically, all the info for taking over the account or attempting to do so is expected by the crooks.

Banks already have all these details and would not run these checks online. Moreover, the verification procedure does not ask for card data, since this is issued by the bank itself and associated with client information; also, email credentials have absolutely no role in a bank's checking someone's identity.

The researcher points out that some of the images on the website are broken, also a reason for alarm, and that none of the URLs look similar to those of Bank of America.

Some of the web browsers have already picked up the phishing website and flag it as such, in order to prevent users from accessing it.

BoA phishing page (3 Images)

Initial page asking for verification
Email credentials are not needed by the bankCard data can be used for fraudulent online transactions
Open gallery