Phishing for Banking Information

    Published: 2024-12-27. Last Updated: 2024-12-27 10:25:02 UTC
    by Phishing,Banking,Exploit (Version: 1)
    0 comment(s)

    It is again the time of the year when scammers are asking to verify banking information, whether it is credit cards, bank card, package shipping information, winning money, etc. Last night I received a text message to verify a credit card, it is case a Bank of Montreal (BMO) credit card.

    From Bank of Montreal (BMO) website scam alerts, they uses a specific SMS number to send a text to their consumers: "The only BMO Alert you will receive on your mobile device via SMS regarding your accounts and credit cards will come from our 6-digit number “266898.” Our code never changes, so use this code to determine if it is BMO messaging you." [1] It is important to know how a bank will contact your by SMS. This is a copy of the text I received.

    Is it Phishing? Any Suspicious Clues that Stand Out?

    • The text I received was from a (438) area code and not from BMO, that is the first error.
    • The second error is the card number "Starting in 5510 29**" which normally is the last 4 digits of the card that appears on statements vs. the beginning.
    • The last clue is the website that contains spelling errors: bmo-securltyverlfy1[.]com [4] -> The website is spelled with the letter "l" vs the letter "i". This domain was registered on the 2024-12-11 [5] just in time for the holiday season.

    Reviewing Domain Information

    This domain resolves to IP 34.155.192.52 (ASN 396982). A review of VirusTotal relationship information from this domain shows as of this writing, 81 domains [2] have been created since the 23 Dec 2024 under this IP address targeting Canada Post, Scotiabank, rebate information, etransfer, Costco rewards, etc.

    Indicators

    34.155.192.52
    bmo-securltyverlfy1[.]com

    It is important to review carefully the data before entering any information. Stay safe.

    [1] https://www.bmo.com/en-ca/main/personal/security-centre/scam-alerts/
    [2] https://www.virustotal.com/gui/ip-address/34.155.192.52/relations
    [3] https://www.virustotal.com/graph/34.155.192.52
    [4] https://www.hybrid-analysis.com/sample/c76cbf6e22734f177e024e1fee02ed17a53413e0dfee02c6a6601be28280b167
    [5] https://www.scamadviser.com/check-website/bmo-securltyverlfy1.com?utm_source=hybridanalysis
    [6] https://www.sans.org/security-awareness-training/

    -----------
    Guy Bruneau IPSS Inc.
    My Handler Page
    Twitter: GuyBruneau
    gbruneau at isc dot sans dot edu

    Keywords: Banking Credentials Exploit Phishing Secure the Human
    0 comment(s)

      Comments

      Login here to join the discussion.


      Diary Archives