Brilliance Appreciated! – BSA Examiner Newsletter

/ Bank Secrecy Act, BSA Examiner Newsletter, Phishing / By

Your bank’s card processors probably depend on a web security service.  Will it catch more recent card number phishing attempts, such as this one? This is re-posted from the BSA Examiner Newsletter, 2024 Q3.

My wife was expecting a package from Damon and Draper (a woman’s clothing retailer). A few days after the package was scheduled to arrive, she received an email stating that a delivery error resulted in the package being sent to the Postal Service Delivery Resolution Center (PSDRC). The email appeared to come from DHL Express. We checked the tracking number, and the USPS website confirmed that the package was at the PSDRC.

Why are we writing about an errant package delivery, you ask? Let us please explain.

  1. It’s likely the package was correctly delivered, on the scheduled day. However, before we could retrieve the package from our mailbox someone took it.
  2. The person who took the package didn’t want the contents. In fact, the thief likely dropped the package in a mail collection box later that same day.
  3. So, why was the package stolen if the contents weren’t taken? It’s because the thief wanted to send my wife an email, where she could see that her package was being held at the PSDRC and would be delivered in 7-10 days.

    However, the email explained that expedited delivery could be had for a fee of $0.58. A link to pay the fee was in the email.

    Note: some people may be wondering how the thief got my wife’s email address. Well ma’am and sir, if I have your name and street address, I can legally buy a list of your commonly used email addresses. Marketing firms will sell you 2,000 email addresses, based on someone’s name and street address, for $200 (or $0.10 per person).

Back to our story: needless to say, we were dubious of the email that appeared to have come from DHL Express.

  1. Yes, it did correctly show that our expected package was at the PSDRC.
  2. And the URL for the optional fee-payment web site began with HTTPS (which means it had a legitimate security certificate, as required by Microsoft and Google).
  3. But the whole thing didn’t feel right.
    • We had no way of contacting USPS to ask if DHL delivers misrouted packages.
    • Also, $0.58 seemed like a low amount for a service requiring this much work.
    • So, we used the Internet to see what we could learn about the optional payment web site.
      • Of the five Web Security Services (WSS) we checked, four said the URL had a good reputation.
      • The fifth WSS said the same thing, but it also noted that the URL had only been in existence for four (4) days.
      • At this point, we checked to see where the web site was located (which you can do at https://check-host.net). The site was hosted on a server in Hong Kong.

So, to surmise, a web site that was four days old and located in a communist country wanted us to enter our credit card information to pay a fee of $0.58, so that my wife could get prompt delivery of her new clothes.

  1. Now, most people would stop at this point — but not us. We wanted to see what happened next, so we entered our credit card information.
    • The site quickly came back with a message saying, “We’re sorry, Citibank is currently off-line. Please enter another card (may we suggest American Express).”
    • We don’t have an AmEx card, so we tried to pay the $0.58 bill with our Discover Card—only to learn that Discover was also off-line (what are the odds?)
  2. We immediately closed the website. My wife called Discover, and I called Citi.
  3. Both Citi and Discover informed us that a request had already been made to link our cards to a newly established Apple Pay account. The requests were denied.

    It took less than two minutes for the hackers to try and link our credit cards to their new Apple Pay account.
  4. We hate hackers, but we were impressed with the sophistication of this scheme. But having said that, we were more impressed with the brilliance of the security staff at Citi and Discover. Great job folks!

Bottom line: if your bank issues credit cards, we recommend you assess how your servicer handles a situation like this. Also, if your bank’s web site has a link to a Web Security Service (and many do), we recommend you evaluate it for reliability. If age and server location don’t factor into a web site’s rating, we recommend finding a new WSS.