Phishing messages are becoming increasingly personalized in attempts to convince the recipients to trust originators of the messages. A phishing email recently submitted to us illustrates this trend. In this case, the message that arrived in the victim's inbox included the person's full name and postal address:
The message masqueraded as a CitiBusiness alert. The "click here" link led to a fraudulent website hosted at citibusinessonline.da.us.citibank.com.citionline.ru. The whois record for citionline.ru indicated that the Russian domain was registered a few days prior to the attack.
Where does the personal data come from? In this incident, this victim rarely used his/her full name online, and the name was not included in phone directories. It is possible that the scammer obtained the data from diverse sources and was able to link the fields (name, email address, and postal address) together. More likely, the data originated from a website that stored billing details or from a compromised credit card processor. Yet another possibility is that the scammer purchased the data from legitimate consumer data providers. Even if the scammer was not certain that the victim's records were correct, even a small number of matches would increase the number of fooled victims.
If you were wondering what awaited the victim at the website set up for the phishing attack, wonder no more:
Mimicking the real CitiBusiness Online website, the phishing site allowed the victim to enter his/her Business Code by clicking on images of numbers in the form. The URL that brought the person to the fraudulent site included a unique identifier that allowed the site to track email recipients. It is possible that the identifier was used to pull up the victim's records from the fraudulent site's database; another possibility is that the victim's name and address were actually encoded in the URL string. As a result, two screens later, the victim was presented with his/her postal address and full name without having to supply them to the site:
After allowing the victim to correct the address, the site prompted the person for additional sensitive information, such as date of birth, social security number, and mother's maiden name:
We reported this phishing attempt to Anti-Phishing Working Group and Citibank. If you have witnessed highly-personalized phishing scams of this nature as well, please send us the details.
This note incorporates comments from several ISC handlers. I am very grateful for their contributions.
Mar 16th 2006
1 decade ago