Criminal minds are usually the most fertile. Just how fertile was displayed last week, when a phisher actually advertised for victims on Craigslist, the popular classified ads web site.
The ad, posted at 7:00 AM on April 26, asked Bank of America customers to send the poster their account and telephone numbers, in return for which he or she promised to deposit $1,000 per day into their accounts. The victims were supposed to take 15 percent for themselves, and immediately forward the balance to another Bank of America account. The poster couldn’t do it him/herself, they said, because they were currently in New Zealand.
We stumbled across the ad at 9:00 AM and immediately forwarded it to Craigslist, which removed it within an hour. We also informed Bank of America, which later said it was aware of the scam. Bank of America’s response led to the obvious inference that the scamster had been active earlier, since the ad had been posted on Craigslist for only two hours, but it—and Craigslist—declined to explain the apparent discrepancy in the time line.
The Federal Bureau of Investigation, which likewise declined to respond specifically to the event, said the ad was a new version of the old “freight forwarder” con game, in which the victim is asked to receive payments and forward them and then, after a few successful transactions, is asked to cash a check for more than the usual amount, and refund the balance. If they’re successful, the crook predictably vanishes. The scam also has much in common with the—by now—hoary Nigerian scam, in which someone posing as a Nigerian lawyer or government official emails the mark for help smuggling enormous amounts of money out of that country.
The scam breaks new ground, says Avivah Litan, vice president and research director at Gartner Inc. “I’ve never heard of this—it’s very clever social engineering,” she says. “I doubt that BofA knew about it—they just want to seem like they’re on top of things.”
At a minimum, the scam should get a prize for sheer brass, not to mention minimum effort. Typically, a phishing scam involves a skillfully crafted and apparently genuine email from a bank or popular e-commerce site, and an equally well-designed, fake website in which the unwary enter their account information. In this case, the scamster just posted an ad, hoping to snag one or two victims before the ad was spotted and taken down.
In this case, whether the perpetrator succeeded is unknown, but the Craigslist ad is very similar to similar scams commonly found on job want-ad sites like Monster.com. “The jobs boards are filled with these things, and the FBI is constantly having to trace them back to the sender, but this is the first report I’ve heard about a Craigslist ad,” says Peter Cassidy, secretary general of the Anti-Phishing Working Group.
Cassidy says this is a new wrinkle in the game. “It’s phishing, but not the usual retail phishing, where they’re looking for your banking credentials—it’s definitely a new hybrid,” he says.
And, he adds, he’s unsurprised. “People are putting up things like deceptive software that infect your computer and call it freeware or games. Why should we be surprised that people are putting up deceptive ads in order to phish people?”
For the record, we post the ad below, complete with misspellings.
Reply to: job-154729485@craigslist.org
Date: 2006-04-26, 7:09AM EDT
We´re an e-gold exchanging team. I own a website, and I`m looking for Bank of America customers, as i'm an account holder as well, I´m able to transfer UPFRONT to your account, daily amounts of $1000. All you have to do is withdraw and send to one of our exchangers. Remember that you get to keep 15% for yourself.If you are wondering why I can´t do it myself, it is simply due to my current unavailability; I`m in New Zealand visiting with relatives, and that´s why I´ll need your assistance.
As I am going to send upfront, I´ll need some things, such as:
– You must own this account for at least 3 months (I call to verify)
– You must suply a land line phone #
– You must be from USA and you´re not allowed to use a third party.
– The amounts should be sent within 24 hours, delays will not be tolerated.
You may also be wondering:
– What information do you need to transfer the amount into my account!?
I´ll need only the following information: Account holder #, last name and zip code, ONLY
– Is there any possibility of having my account hijacked with performing such activity!?
Absolutely not, it´s a typical transaction between bank of america accounts, and you can make sure about that calling up bank of america customer service with these questions, or simply using your bank online referring to transfer and if you notice, they will require the information I previously requested to.
a.. Compensation: You´ll receive 15% from all amounts. Up to 65k annually, your weekly share will be $1800.
54729485
——————————————————————————
(Contact: Craigslist, 415-566-6394; Bank of America, 415-622-6367; Federal Bureau of investigation, 202-324-3000;Gartner Inc., Avivah Litan, 301-610-7482; Anti-Phishing Working Group, Peter Cassidy, 617-491-2952)
I hate phishing. Not only has it cost the world's financial institutions tens of millions in fraud losses, it's just about killed the email channel in terms of getting your customer's attention in a timely fashion, and it's diverted management's attention from much-needed online marketing improvements. That's much worse than the actual fraud losses. 
For example, today I received a fake credit card authorization request from Wells Fargo (see inset). I'm not sure why it prompted a blog entry. Maybe because I use a Wells card or maybe because I've been talking to mobile banking execs about this very subject. But the fake was good enough to force me to take a closer look. The biggest clue is the wrong format for the USD charge, using a "comma" instead of a decimal point between the dollars and sense. But otherwise it's pretty good, and may even net a few card numbers before its taken down.
