The folks at F-Secure alert us to an interesting phishing technique. Phishing, for the non-techies reading, is the practice of sending email that tries to get you to respond (usually by going to a web site) by giving them personal information, including login credentials, account information, social security numbers, and the like. You’ve seen the email, with dire warnings that your bank account will be frozen unless you click immediately on the link they provide, and log in to clear up some “problem”. What you actually do is give them the information they need to log into your account.
In this variation, the phishers are trying a new ploy to suck you in, and adding a nasty mechanism to install bad software on your computer:
From: Clients support team
Subject: Comerica Bank - Significant information for our clients.
Client authentication using digital certificates in COMERICA BANK®
Comerica.com site has requested that you identify yourself with a certificate.
The next step in the transformation of Comerica Online is Digital Certificate (DC) access.
This DC will allow you to access Comerica Bank and other online services through a single sign-on.
All users will be notified and transitioned to the new URL between April 2008 and October 2008.
Please register your DC account and use our servcies safely.
2008 Comerica Bank. All rights reserved.
The link (which is disabled in the text above) takes you to a web page that “explains” what you have to do, and it involves running a “DC Loader Wizard”... which, of course, installs their malware — spyware that records what you do on your computer, including any login credentials that you use later today, or next week, or next month. In other words, it’s a phish that stays around and keeps on stinking.
Now, ignore the awkward phrasing of the message, and raise your hand if you’d give this concept at least a modicum of credibility in your mind — the idea that your bank might switch to certificate-based authentication, in order to improve security. Is your hand up? Mine is.
Now, that doesn’t mean I’d have been caught by this; I wouldn’t, but more on that later. What it does mean is that these phishers have gone away from the scenario that we’ve well learnt not to trust. They aren’t asking for personal information, they’re not asking us to log on.
Instead, they’re asking us to do something that we’ve heard is good for security. Almost. The trick, of course, is getting us to install software — even software that calls itself a “DC Loader Wizard“ — from an untrusted source.
And that’s where they wouldn’t catch me, and shouldn’t catch you. The core bit of advice that’s operative here is that you never, for any reason, visit a “trusted” web site through a link in email. Keep bookmarks in your browser for those things — your banks, your credit cards, your social networking sites, your email accounts — and use your own, trusted and tested links for them, always. Or else type them in by hand. Then you know where you’re going.
And when you get there and you don’t find anything about digital certificates or a DC Loader Wizard, say “Mmm, hmm....”