Last week a client of mine had €6000 taken from their online bank account. In fact, it was €3000 on a Wednesday and €3000 the day after. Bank of Ireland flagged the unusual behaviour and called my client to inform him of the potential theft of the money from his account. This money was actually transferred to an Irish account (read on). So this blog post raises a few questions, makes a couple of assumptions and congratulates Macra.ie on their response to illegal image linking.
First off. The scam.
The people behind this are smart. I dread to think how much money they have appropriated from Irish bank users. I know these emails are common but the entire scam still seems unbelievable somehow. The email arrives to the victims’ inbox like below;
My client received something like this;
Let’s start with the Bank of Ireland logo at the top. The image is embedded in the email using HTML and is pulled in from the Macra.ie website. Was the image there already on the Macra.ie website? Or did the scammer inject the image there? At time of writing this blog post, the location of this image is here. My guess is that the image was there already and the scammers found it via a simple google image search.
Next, the link which reads “Log in to Online Banking” brings the victim to an Asian website which I can only assume has been hijacked for the purpose of this Phishing attack. I told you they were smart! So far, they’ve used 2 different Servers for the content of this email. I bet a 3rd server was used in some sort of relay attack in order to send the illicit email(s) as well. See the fake Bank of Ireland link below.
I know what you are thinking. To the savvy pcweb users, this might seem like complete naivety to have even got this far without realising that it’s a scam. But I’m not surprised one bit that people are caught out. The scam is elaborate from start to finish and we’re all capable of being caught out on an off day.
Let us examine the €6000 which was stolen from my client;
They filled out the above form. They entered the full 6-digit user ID. Putting aside the vital mistake of having clicked on the link to get here… Mistake 1 was entering the full 6 digits. The user is never asked for the full 6 digits. Mobile Number, Phone Number, Full Name equals Mistakes 2,3 & 4.
At this point, the scammer has access to my clients’ online bank account. So how did they transfer money to another Irish account? In order to setup a new payee, you need to verify the new account by SMS or POST. Normally, the bank issues a code and the payee only becomes active after this code has been entered. Having dropped off the pc, my client stated as he was leaving “I’m not sure if this is relevant or not but my phone went down on the same day. I took it to the store and they replaced the sim. They don’t know why it stopped working and could not offer an explanation.”
I think I can. They must have called his mobile operator and asked them to change his phone number to a new sim card (theirs). They effectively used the information he provided (Home Phone, Date of Birth, Full Name, etc) to steal his identity and €6000 along with it.
One quick point. The money was transferred to an Irish location i.e It wasn’t an International transfer. More questions. Can Bank of Ireland track this to an Irish resident? If not, should they only allow bank transfers to domestic accounts which can be tracked to verified Irish accounts?
The story continues..
The scammers got the money. The Asian site is no longer hosting the fake Bank of Ireland website. However, today, I myself received a different flavour but essentially the same email my client had previously received. This time, there were some slight differences. The link to the fake site had moved to another unknown location. Rather than removing the image, Macra.ie instead have modified it in what I think is a stroke of genius.
The good news is that any potential victims receiving the mail today are much less likely to be caught out thanks to the quick thinking over at Macra. The bad news is that the scammers will simply find another host for the illicit use of the Bank of Ireland logo and continue their campaign of online theft.