Shostack + Friends Blog Archive


Phriday Phish Blogging: Randomly Flagged


One of the things I really appreciate about phishing is that we pay people to discover the zeitgeist and share it with us.

There’s little spam advertising fallout shelters or other ways to deal with the Red Menace. I rarely see advocacy about bimetallism in the currency in my inbox. We see what we see because spammers and phishers are motivated to get our attention. They do it by constructing plausible subject lines, like “Ebay question from seller,” or, in the case of this week’s Phriday Phish, “Security Measures. Your account has been randomly flagged !” That was the subject, here’s the text:

Flagstar Bank Security Measures.

Dear Flagstar Bank Member,

Your account has been randomly flagged in our system as a part of our routine
security measures. This is a must to ensure that only you have access and use of
your Flagstar Bank account . experience. We require all flagged accounts to
verify their information on file with us. To verify your information at this
time, please visit our secure server webform by clicking the link below:
http://0xd2.0xFF…./cgi/ [URL edited for safety.]

I love how they claim your account was randomly flagged. It’s as if people are expecting the computers to spew garbage like this.

And dig that URL! Why are banks sending email which normal people think look like that? How well can we train the public to be confused?

Photo: Mackrel, by Marainne.


3 comments on "Phriday Phish Blogging: Randomly Flagged"

  • Justin Mason says:

    Banks _ARE_ sending URLs like that, that’s the problem! We regularly have to ditch promising phish-detection rules in SpamAssassin because they match the cruddy “link-tracking” URLs the banks send out.

  • Sid says:

    It gets even worse when banks hire third-party marketing firms to manage communication with their clients! I have seen quite a few emails from domains not my bank’s, and they are legit.
    It gets even better when they say “click this link and fill out a short survey for a $100 credit to your account.” (Chase bank has done this.) The URL is never at (always the marketing firm), so it looks shady. Here the banks are training people to fall victim to phishing!
    Click here for another “training” email from a bank…

  • Iang says:

    There is a valid use case in the governance world where random accounts are selected and probed. Of course, if we knew this, then it would be easy to craft defences against this being abused by phishers … the problem is that the users don’t know it and aren’t easily able to work it out.

Comments are closed.