Secure Device for Fishy Intent

Phishing attacks jeopardize users’ personal information, including banking credentials. The huge gain that Internet miscreants receive from these attacks drives them to think of newer and more effective bait to phish users’ personal data. To carry out their plans, spammers most commonly abuse new security services/features provided by legitimate companies.

Many financial institutions have already started providing a pin/password generator device (also known as “secret reader”) for their customers to conduct secure online transactions. The device generates random pin codes after a specified interval of time. In a recent phishing attack the fraudsters promoted a similar secret reader.

This fake message claims that a bank has developed a secret reader that generates a password of 10 alphanumeric characters. The message also targets existing customers who are already using this device provided by the bank, and informs them that existing device will no longer be available if they do not apply for a new device through the link provided in the message.

Below is a screenshot of the phishing email:
 

The URL provided in the message is a typical phishing URL that mimics the login process of the bank and will steal a username and password.

Symantec advises users to follow the best practices below to stay safe from phishing sites:

•    Type domain names manually rather than clicking on any link.
•    Do not click on suspicious links from emails.
•    Talk to your bank and confirm the legitimacy of the email in the case of any suspicious correspondence notifying you of a purported process change.
•    Use Symantec Internet Security products and use updated signatures.