14 DAY TRIAL // Security researchers from Web security provider ScanSafe, which is now a subsidiary of Cisco, warn that the latest phishing scam targeting Bank of America customers is leveraging compromised legit websites. The technique is an attempt to evade reputation filters.
The rogue email message is properly spelled and well formulated. It attempts to trick potential victims by claiming that their bank account is locked due to repeated failed authentication attempts. Additionally, it threatens users that if they don't verify their account information by filling in a form, the account will be suspended indefinitely.
“Dear Bank of America Customer,
We recently have determined that different computers have logged in your Bank of America Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by July 31st, 2010, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. In order to confirm your Online Bank records, we may require some specific information from you.
To restore your account, please Sign in to Online Banking.”
The ScanSafe researchers point out that the "Sign in to Online Banking" link directs users to a location on gramsbbq.org. However, this is not a malicious domain, but the website of a barbecue restaurant in Riverside, CA, called Gram's Mission Bar-B-Q Palace, that has been compromised.
The page on gramsbbq.org redirects users to the actual phishing URL hosted at http://www.chasingarcadia.com/channel/safe.sslbankofamerica.com/index.htm. But, as it turns out, this is not a phishing domain either. Instead, it houses the website of a Canadian rock band called Chasing Arcadia.
“This use of compromised sites as redirectors and phishing host enables the attackers to bypass reputation filters and/or community-based trust reporting. And it increases the collateral damage, because if/when the compromised sites are blacklisted, those businesses could suffer as a result,” Mary Landesman, a senior security researcher at ScanSafe, explains.