Wednesday, December 22, 2010

A Clever Phising Attempt?

There are a couple of hard and fast rules of the interweb I like to teach my less-than-tech-savy family and friends that can keep them out of a lot of trouble. Things like making sure that the website you're typing your e-mail address and password into is the actual website you're logging into. You can't trust the look of the site, you need to look at the URL, especially if you got to the page through a link. Also don't respond to unsolicited messages asking for any kind of account or personal information, even if they look reputable. These are the types of things that phishers catch unsuspecting internet users in all the time, and unfortunately they're very effective. A while ago I received a phishing attempt that was a bit more clever than the standard Prince of Nigeria story, but even those basic rules were plenty to foil it.
XKCD tells it like it is.
Click to enlarge.

I got a phone call from an unknown number, which I naturally let go to voicemail. I later listened to it just in case it was someone actually trying to get a hold of me from some strange phone system; mostly I expected it to be another telemarketer. To my un-amazement it was a computerized voice, just like the majority of the other telemarketers that have called. It claimed to be calling on behalf of Best Buy reminding me that I had some kind of "reward points" that I needed to redeem before they expire, and all I needed to do was go to my reward zone dot com and create an account. Immediately there were red flags, alarm bells, and just about every other cautionary type of signal being emitted from the rational part of my brain; it was obviously a phishing attempt. Here are the red flags my brain threw up as I listened to the message:

First, the computerized voice. There are some legitimate circumstances in which a reputable organization would make an automated call using a computerized voice. For instance, a doctor's office calling to remind you of <your name>'s upcoming appointment on <date and time of appointment>. You see, they could have a computer program working with their appointment database which calls each appointee a couple days before their appointment automatically. Because the <your name> and <date and time of appointment> need to be filled in for each phone call, it would be impossible for a person to prerecord the messages, requiring a computer to read an automatically generated message. Other than circumstances like that though, the computerized voice probably has a more nefarious purpose, like a mass distributed spam message. This certainly wasn't a call from anything like a doctors office, it was supposedly coming from a commercial company which, best case scenario, would be trying to sell me something. Any company worth my time isn't going to have an automated voice call me and try to sell me something, let alone tell me that they would be needing my personal information. And maybe my standards for trust are unreasonably high, but a computerized voice needs to do more than just claim to be calling on behalf of a reputable company for me to start taking orders from it.

Second, the voice claimed to be calling from Best Buy, but I could think of no reason that Best Buy would need to contact me by phone, and I don't even remember giving them my phone number. I hadn't even bought anything at Best Buy in over a year. And why would a reputable company like Best Buy be calling me with a computerized voice? Don't they have employees who speak English and are capable of recording a real-life human voice message, giving the message at least a modicum of credibility? I don't believe for a second that Best Buy is resorting to these kinds of marketing tactics.

Third, the URL that the message gave me didn't even have "Best Buy" anywhere in it. I would expect a phisher to have at least obtained a URL like "" or something, at least giving the illusion that the website was associated with the actual Best Buy. It was like they weren't even trying.

Some of the common ways to
identify a phishing attempt
Here's what I think happened. A phisher made a website to look like it was a part of Best Buy's website which would ask for some personal information (e-mail, name, address, phone number, maybe even credit card). They got it hosted at my reward zone dot com because it was the most Best Buy sounding URL they could get, even though it wasn't very good. Then they wrote what would appear to be an official message from Best Buy, telling people to go to my reward zone dot com to collect some rewards. They didn't read out loud and record it, that would be too much work. The phisher's voice probably wouldn't sound right, and if he was caught the voice in the message could possibly be traced back to him. So instead, he had a text-to-speech function on the computer do it. Once it was recorded, he paid a black-hat marketing company to play the message to a bunch of phone numbers. All he had to do was wait, and personal information would come rolling in. And if you didn't know, personal information is very valuable to both legitimate and illegitimate internet marketing companies, and even more valuable to people who steal identities.

Out of morbid curiosity I went to the site to see what kind of phishing attempt was going on. Maybe I would take a screenshot and post it to my facebook to warn my less-technical friends about the lame phishing attempt going around.

What I found at the site absolutely disgusted me. I was absolutely shocked and appalled. The site...I can't even say it... The site was actually Best Buy. It was actually Best Buy's reward zone website, and the phone message was legitimately trying to remind me that I had reward points from a laptop I had purchased a while ago. It was worse than the phishing attempt I had expected. Much worse. It was like Best Buy was part of some collusion to legitimize phishing techniques. In the world of mainstream internet usage, there are a few bad habits that get people into a lot of trouble, and it's like Best Buy just validated all of them.

Imagine a unkempt, heavyset, 50 year old man driving an old beat up van. The windows of the van are blacked out, and he's driving through a nice suburban neighborhood where he stands out, and nobody recognizes him. He pulls up to a local park where children are playing...and waits. Some kids are playing hide and seek, and eventually one of the unsuspecting children finds a hiding spot near the van; completely unaware of the man who is intently watching. The man quietly slides the door open and whispers, "psst... hey kid!" The kid looks over quickly, startled to realize that someone is watching him. "I've got some candy over here in my van" the man continues, "do you want some?" "Awesome!" the kid thinks to himself as he starts to walk over, "I love candy!" The man hands him a bag of his favorite candy and says, "Alright, have fun playing hide and seek!" The man drives off, leaving the kid content with his new candy.

That's what Best Buy just did to internet users.

Best Buy is a pedophile-looking old man in a beat up van waiting outside of a park, giving kids candy. I'm trying to be the responsible adult, teaching kids how not to get abducted, and Best Buy just messed it all up.

No comments:

Post a Comment