Fly Phishing

I'd like to pass along a very interesting and informative posting that was made to a business forum that I monitor ...

It pertains to a hacking technique that is as clever as it is diabolical. Anyone who maintains online financial accounts should be aware of it:

"I had my e-gold account hacked and lost a bundle. But I think e-gold has been getting some unfair blame. My first reaction was that it must have been an inside job at e-gold. I felt this because I had to enter an e-gold pin sent to my email as a result of my IP address changing. (If you use a cable modem or a dial up modem your IP address is probably changing frequently...it's called dynamic IP addressing.)

"It seemed like if it wasn't an inside (e-gold) job then someone might be hacking my email as well. Then I figured out how the perpetrator did it. It turned out to be pretty simple and is a technique for which anti-virus, anit-keyloggers, anti-spyware, non-html email, having two computers, virtual keyboards, etc. are no protection.

"The perpetrator was one of the sites I was using (a High-Yield Investment Program, but it could easily have been a surf site.) The vulnerability comes from the fact that almost all of these sites branch to e-gold (or other provider) when you buy an upgrade. At that point you are entering your ID and password.

"What the evil site does is they have screens that look exactly like e-gold's screens. So when you think you are branching out to e-gold you are actually branching out to their own site. As soon as they have your password they themselves log on to your e-gold account. Since their IP address is different from the one you last used with e-gold, this generates a changed IP / PIN email to be sent to your email address.

"At that point they also display a copy of the e-gold screen that says you need to enter the PIN. So you go get the PIN from your email and enter it into the bogus PIN entry screen on your computer. The bad guys then have the PIN they need to enter into the true e-gold PIN entry screen on their computer. And 'voilà,' they are in.

"Once they have your account info they can display to you your balance screen and other e-gold screens so that everything looks normal to you. You spend your little $25 or whatever your upgrade is, but it has no effect on your actual account since you are not logged into it. The bad guys then spend all your funds to their e-gold account.

"The way all these sites automatically branch out to e-gold during an upgrade makes this a very widespread vulnerability. There are four things I know of that you can do to help protect you from this kind of attack.

"1. When you are branched out to e-gold during an upgrade, make sure the e-gold URL in the browser's address field starts with https, not http.

"2. Make sure there is a yellow closed-padlock icon in the right hand end of the status bar at the bottom of the browser.

"3. Double click on the padlock icon to view the certificate information. In the 'Issued to' field it should say www dot e-gold dot com and the 'Valid from' field should say 11/22/2004 to 12/1/2006.

"4. If you keep funds sitting in your e-gold account for any length of time set up a second secret e-gold account. Never access this account from a surf, High-Yield Investment Program, or any other site. Only use it by logging directly into e-gold. Then once you have funds appear in your normal e-gold account from a cashout, move it over to your secure e-gold account. Then later right before you buy an upgrade, move the funds from the secure e-gold account to the normal e-gold account. This minimizes the time your funds are exposed in the normal account.

"At the very least do steps 1-3 EVERY TIME you buy an upgrade. A bad site can branch you to the true e-gold screens every time except for the one time they are going to clean you out.

"This doesn't mean you shouldn't follow all of the other measures that have been mentioned elsewhere in this thread like having up-to-date anti-virus, anti-spyware, etc. and even two computers. The above needs to be done in addition to all those.

"I pieced this together on my own from various clues. One important clue was that I happened to notice the loss fairly quickly and noticed that the time stamp of the transaction that cleaned me out was the same time as when I was on the scam site. I also saw that the scam site folded up its operation shortly after that, which helped to confirm who was behind the scam. My day job is programming so I started to think about how I might have done something like this based on the information I had. As I did this it all came together.

"This particular scam site did something else that I'm sure made this much more profitable for them and is something else to be very wary of. First they paid like clockwork. You could request each day's gains and within about two or three hours those gains showed up in my e-gold account. It was a great confidence booster in their program. We tend to think of scam sites as having all sorts of reliability problems leading up to their final exit. However, my experience here points out how a really good scam may try to fake you out by looking very solid. They also gave you bonuses for upgrading your account to higher levels. The higher the level the higher the bonus. This strongly encouraged members to invest more money than they might have otherwise. They also offered a higher interest rate at higher upgrade levels. There are a number of sites out there that do this and it is often a legitimate way to build business. But in this case their motivation and intent were quite nefarious.

"The other thing they did was when you made a withdrawal they required you to spend a tiny amount to them (basically a tiny upgrade), I think it was something like a penny or 5 cents. They said this was a measure they were taking to help insure that the account they were cashing out to was really your account. That seemed odd to me and as time went by I kept turning that over in my mind to try to figure out how that would accomplish what they claimed it did.

"In retrospect it's clear what they were doing. Normally on a cashout you never even have to branch out to e-gold or whomever. When you register for the HYIP you typically give them your e-gold account and that's all they need to do the spend to your account. However, by requiring a tiny spend each time you cashout, they get you to enter your password during cashouts as well as upgrades. And, if an e-currency provider requires a secondary password to do a spend, then they get that by this process as well. This also plays on the fact that one's guard is probably a little lower during a cashout operation when you are receiving money.

"And here is the coup de gras. Shortly before they cleaned out my account they announced to all their members that system profits had been so good that they were giving each of their members a $50 bonus. So over the next several hours many members were I'm sure elated to see this unexpected $50 and proceeded to cash it out. So that's when I'm sure the scam site started branching everyone out to the bogus e-gold screens. By using this $50 bonus ruse they got a large number of their members to do the tiny spend within a short period of time. They figured that they had to work quickly before the word got out what they were doing. So after a few hours of draining all those e-gold accounts they closed shop and got out of town...got clean away.

"The beauty of this operation was that you normally only occasionally enter an upgrade, which requires you to enter your password. But by 'training' their users to make frequent, even daily, cashouts and by requiring what amounted to a tiny upgrade to do that cashout, they set everyone up so that in a short period of time a large number of their users would be exposing themselves to the final step of the scam. In a very sick way it was 'magnificent.' Not only did they get way with everyone's bloated upgrades, they also got away with whatever many of them had sitting in their e-currency accounts.

"So another lesson to be learned from this is to watch out for any internet service that 'for security purposes' requires you to make a tiny spend in order to do a cashout. Also be suspicious anytime one of these services gives you an unexpected bonus or benefit. The bonus may be perfectly legitimate, but from now on whenever something like that happens, I immediately start trying to think about how that might be used against me."