A growing problem plaguing online transactions is fraud. There are many methods of acquiring credit cards, bank account numbers, and personal information to commit crimes ranging from petty theft to funding and facilitating terrorism.

I've personally received emails requesting that I log into a bogus site and clarify some details about my account. One that caught my eye was an email that asked me to help eBay with a "security issue". Of course, eBay had nothing to do with the email. That site was hosted in the UK and collected numbers from Paypal related bank accounts and the user's passport. Why would they want passport numbers? By linking a real passport to real bank information, your identity could be very useful for criminal activities. They could easily manufacture a very real looking set of identification and travel related documents.

What are they doing with your identity? Just try to imagine any evil or wicked thing where assuming a real identity and related banking information may aid someone in committing such an act. If you don't think theft of such information helps terrorists worldwide, you aren't paying attention. If you don't think terrorism is real, you don't watch much news. September 11th didn't mark the end of terrorist activity worldwide. It was just the most spectacular event to date.

A friend forwarded an email requesting he log in to deal with a security issue with his online banking. For an example, below is the original text of the email including the header. Two screenshots of the website referenced in the email are linked at the bottom of this article.

The email text:

Return-Path: <nobody@server2.digitaldx.com>
Received: from mail.silohost.com ([66.20.47.2])
by ant.hiwaay.net (8.13.3/8.13.3) with ESMTP id j1JJBpDh698030
for <myfriend@hiddenaddress.com>; Sat, 19 Feb 2005 13:11:51 -0600 (CST)
Received: from server2.digitaldx.com (server2.digitaldx.com [67.18.208.106])
by mail.silohost.com (Postfix) with ESMTP id E618A189C30
for <myfriend@hiddenaddress.com>; Sat, 19 Feb 2005 13:11:50 -0600 (CST)
Received: from nobody by server2.digitaldx.com with local (Exim 4.44)
id 1D2a1G-0007OZ-M7
for myfriend@hiddenaddress.com; Sat, 19 Feb 2005 13:11:58 -0600
To: myfriend@hiddenaddress.com
Subject: Notification From Southtrust Online Banking
From: Southtrust Bank <service@southstrustsonlinebanking.com>
Reply-To: service@southstrustsonlinebanking.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Message-Id: <E1D2a1G-0007OZ-M7@server2.digitaldx.com>
Date: Sat, 19 Feb 2005 13:11:58 -0600
X-AntiAbuse: This header was added to track abuse, please include it with any
abuse report
X-AntiAbuse: Primary Hostname - server2.digitaldx.com
X-AntiAbuse: Original Domain - tmicpa.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - server2.digitaldx.com
X-Source:
X-Source-Args:
X-Source-Dir:
Dear Southtrust Bank customer,

We recently reviewed your account, and suspect that your
southtrust account may have been accessed by an unauthorized
third party.

Protecting the security of your account and of the Southtrust
Bank network is out primary concern.

Therefore, as a preventative measure, we have temporarily
limited access to sensitive Southtrust Bank account features.

Click the link below in order to regain access to your account:

http://www.southstrustonlinebank.com/index.html?=verify

For more information about how to protect your account, please
visit Southtrust Security Center.

We apologize for any inconvenience this may cause, and apriciate
your assistance in helping us maintain the integrity of the
entire

Southtrust system.

Thank you for your prompt attention to this matter.

Sincerely,
The Southtrust Security Department Team.

This is definitely an attempt at human hacking. The IP of that domain traced to a host in the South Pacific. It's a combination of (criminal or legal) access to the banking records at SouthTrust and illegal collection (fraudulent) of banking data, intended to funnel funds to criminal organizations. The bank could have easily sold the information to someone, then that information fell in the hands of the criminals (criminals, bankers... I'm defining a difference for this conversation :). However, I wonder how many people will fall for this scam and give them their online user IDs and passwords for their SouthTrust bank accounts.

They out forth the effort of actually reserving a domain name that would appear (somewhat) authentic. They've faked a logo on the webpage and give you a neat little interface to log in for their bogus bank communication.

When you log in they collect other information from you. They apparently don't have any way of comparing your user ID and password to the live SouthTrust system (which is what I'd do, but I'm not a crook). They just accept whatever you type in and then collect your bank card information, likely to run through storefronts worldwide with forged cards.

It eventually just looks like stolen cards, and nobody is any the wiser. The poor victims that run legitimate businesses get stuck with charge-offs, the crooks clean the money through various systems or fence the stolen (with forged credit cards) goods, and it's one more point for crooked kind.

So far, this is one of the more savvy attempts at targeting bank customers. It's missing the common poor language, evident in many foreign email scams, not that they don't have their share of mispelled words. This scam is targeted and well planned. At the time I made this post, it had been active for more than 12 hours and the site had not been shut down.

Banks and other financial institutions sell their lists of customers to "associate" companies they don't control and a growing number of financial institutions are using overseas call centers to handle financial transactions. This complicates tracking the chain of custody. Once this information is disseminated to criminals, it's practically impossible to trace who delivered the information to the criminals. One unethical employee can steal tens of thousands of names, phone numbers, bank numbers, etc. for criminal use.

Of course, the IRS has tax preparers sending unencrypted files over to clearinghouses through the internet, as well as the IRS directly with direct deposit information right on the file. A talented hacker can pick up millions of names, addresses, social security numbers, banking information, even details like names of chilren and their social security numbers and daycare addresses. So, who knows where the next theft is going to take place or what crime it will enable. Expect this to make an impact at some point on our quality of life. More importantly, expect organizations that use crime to fund their nefarious activities to continue to thrive. This is a serious problem that law enforcement should stand up and notice immediately.

Update: Before I even posted this, my own news aggregator pulled a feed from The Register with "Online fraud could dent economies".

Update 2005 02 21: The bogus site is still up and running, though SouthTrust now has a warning up on their website. SouthTrust knows about the email.

The US government should have these guys in custody and shut down their site by now. At the least, they should walk in the front door of that service provider and put their hands on the server. There are international issues to resolve, such as jurisdiction. However, this is exactly the kind of problem our law enforcement should work diligently to put down.