The social ingredients used when cooking up the e-mail that foreshadows the occurrence of this piece of cybercrime are the classic ones: an apparently casual reference to security, a threat disguised as friendly advice (this time it is not the blocking of the account but more mysterious “further actions taken by our security department”) and the graceful invitation for the recipient to reveal his/her credentials (in this case, a clear illustration of the minimalist style: “please identify yourself”).
Fig. 1 The phishing bait, a classic example of the genre
If the recipients give in to the charm of this letter and access the provided link, they will land on a fake web page that will sweep them off their feet entirely. Not only does it require that they input their date of birth, but also, their social security numbers. Enough to make them the phisher’s best penniless friends.
Fig. 2 Fake web page used for illegal data collection
Once the coveted data is delivered, the victims are redirected, ironically enough, to the actual HSBC online security page.
So far, nothing out of the ordinary. However, when phishing, for lack of better bait, you need to get a wider net. This seems to be the strategy behind this highly productive phishing scam.
According to BitDefender Monitoring Systems several HSBC-related spam “waves” have reached significant proportions this week (March 25th to March 31st). To give an example, yesterday evening a level of 60 such spam messages/minute was reached, based on which it can be assumed that, globally, an enormous quantity of spam targeting HSBC members has been delivered.
Moreover, BitDefender’s statistics have revealed the high amplitude of this phishing campaign, as the HSBC brand ranks second in the Top 10 Phishy Brands this week: almost a quarter of the phishing urls imitate that of the HSBC official site.
Mention should be made that HSBC is making every effort to deter this kind of attacks and to inform its customers about the clues based on which they can identify phishing e-mails. If you have any doubts about the legitimacy of an e-mail apparently sent by HSBC, please forward it to firstname.lastname@example.org
To avoid becoming a victim of phishing raids, follow the five common-sense tips below:
- Make sure you always activate or turn on your antiphishing or phishing filter, as well as any other security applications or suites before browsing to your e-banking account.
- Ideally, you should install, activate and update a reliable security solution, such as BitDefender Total Security 2010.
- Make sure that the e-banking Web site uses SSL encryption (Secure Socket Layer) and security authentication methods – look for the "https" prefix and the locked padlock. If you are requested to accept a certificate for the session, check that the name on the certificate matches the name of the institution you wish to deal with and that the certificate is signed by a known Certificate Authority such as ThawteTM or VeriSign® before accepting.
- Avoid using a non-secured computer (like a friend's desktop or job colleague laptop). Still, if you are forced to do so, make sure you at least run BitDefender's advanced scanning on-line tool, Quick Scan, before proceeding.
- Do not check your e-banking account from public computers connected to Internet (like those in a library or Internet Café).
- If you use a wireless connection, make sure that your connection is secured and encrypted and that you know and trust the owner of the access point; also, refrain from using an unsecured public wireless connection (like those in airports or hotels) when banking over the Internet. Still, if forced to do so, use an on-screen (virtual keyboard) to enter sensitive data. Although not 100% bulletproof, this technique would guard your data from average keylogger applications.
The information in this article is available courtesy of Daniel Dichiu, BitDefender Online Threats Researcher.