By Brian Krebs | February 13, 2006
Phishing is a difficult enough form of fraud to avoid for most
computer users, but when some of the biggest names in the financial
industry fail to do their part to detect and eliminate these online
scams, consumers often are placed in an untenable situation.
Case in point: A source recently forwarded a link to one of the
"best" phishing attacks I've ever seen. This one -- targeting the
tiny Mountain America credit union in Salt Lake City, Utah -- arrives
in an HTML-based e-mail telling recipients that their Mountain
America credit union card was automatically enrolled in the Verified
by Visa program, a legitimate security program offered by Visa that
is supposed to provide "reassurance that only you can use your Visa
card online."
The e-mail includes the first five digits of the "enrolled card," but
those five digits are found on all Mountain America bank cards, so
that portion of the scam is likely to be highly convincing for some
recipients. The message directs readers to click on a link and
activate their new Verified by Visa membership.
Now here's where it gets really interesting. The phishing site, which
is still up at the time of this writing, is protected by a Secure
Sockets Layer (SSL) encryption certificate issued by a division of the
credit reporting bureau Equifax that is now part of a company called
Geotrust. SSL is a technology designed to ensure that sensitive
information transmitted online cannot be read by a third-party who may
have access to the data stream while it is being transmitted. All
legitimate banking sites use them, but it's pretty rare to see them on
fraudulent sites.
http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html