(All four blog articles in this series, of which this article is the last, are available as a single paper here: The_Thoughtful_Phisher_Revisited.)

From the sort of ‘visit this link and update or we’ll cancel your account’ message that we saw in the previous blog in this series (The Less Thoughtful Phisher), it’s a short step to trying to frighten you into logging into a malicious URL by telling you there’s already suspicious activity on your account.

Dear Valued Customer,

Your Nationwide Account has been limited due to the unusual login attempt to your online banking.

Resolve Your Nationwide Account

Thanks,
Nationwide Building Society.

Well, fall for this and suspicious activity will certainly happen, though it may take a while before you realize it has taken place.

Yes, it’s me. No, it’s me.

And here’s a short example of a type I’ve been seeing a lot of recently. The potential victim might think that simply confirming or denying that they requested a change is safer than linking to an obvious login link – after all, we keep telling you not to go directly to a link in a message you can’t trust – but the scammer isn’t going to be content with a simple yes or no. At some point in the process you’re going to have to share your login details, and the scammer will have got what he wants. And you may not be surprised to note that – as with most examples of this type of message I’ve seen so far – the ‘yes’ and ‘no’ links are exactly the same. It seems to have starter to occur to them, though, that the social engineering might be a little more convincing if they went to a different page.

Dear Valued Customer,

This is a short email to let you know that your NatWest Credit Card Online Services security details was recently changed on Monday, November 11, 2013 at 9:32:48 AM. Please confirm that this request was made by you.

Yes, I made this request.

No, I did not make this request.

Best wishes

Paul Riley
Head of Credit Card

 What an interesting coincidence that the Head of Credit Cards at MINT has, according to the message of which I generated a screenshot in an earlier blog in this series, exactly the same name as the Head of Credit Card(s) at NatWest. At least, so the number of NatWest phishing messages I’ve seen with that signature would seem to indicate. Unless he’s changed jobs. Or, more likely, some phishing phreak thought that Paul Riley was a name likely to inspire confidence in UK readers. Just as I always feel reassured when I get offers from various dictator’s widows to share millions of dollars. ;)

We don’t know why, but we know exactly when...

Here ‘he’ is again with a more comprehensive message. I love the precision with which they report the date and time of this imaginary breach.

Dear Valued Customer,

An attempt to access your NatWest Credit Card Online Services was denied on: Thursday, 07 November 2013 at 7:03:55 GMT

Access was denied for one of two reasons:

The response to your personal logon details did not match our records

A recent change in your contact information.

If you remember trying to access NatWest Credit Card Online Services on the above date and time, please select "That was me."

If you do not remember trying to access NatWest Credit Card Online Services on the above date and time, please select "That was NOT me." You will then be prompted to Confirm your account profile on file with us.

That was me.

That was NOT me.

Best wishes

Paul Riley
Head of Credit Cards

P.S ...don't forget that you can make a payment online using the payments and transfers link once you have logged on.

Please do not reply to this email. It is for notification only as this mailbox cannot accept incoming mail. If you need to contact us then use the Contact Us link at www.natwest.com.

National Westminster Bank plc. Registered in England and Wales (Registered Number 929027)
Registered Office: 135 Bishopsgate, London EC2M 3UR.

Authorised and regulated by the Financial Services Authority.

This email message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet emails are not necessarily secure. The Royal Bank of Scotland plc does not accept responsibility for changes made to this message after it was sent.

Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by The Royal Bank of Scotland plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.

Talk about adding value. Two possible reasons for the ‘problem’ you have to log on to resolve, an opportunity to make a payment while you’re at it (more money? Bring it on!), and a lengthy disclaimer that looks like it was scraped from a real site or document.

Newly MINTed

And here is Mr Riley, again, apparently moonlighting back with MINT. I wonder if he’s getting paid by both divisions.

And yes, this time the scammers used different links for yes and no. Apart from the change of provider, the value-added disclaimer is almost identical to the previous message (so I haven’t reproduced it).

Dear Valued Customer,

Our records shows that your MINT Credit Card Online Services security details was recently changed on Tuesday, November 05, 2013 at 06:09:42 PM. Please confirm that this request was made by you.

Yes, I made this request.

No, I did not make this request.

Best wishes

Paul Riley
Head of Credit Cards

Implore-sible…

Dear Account Holder,

We noticed a violation of our services on your account and for this
reason, your account will be closed if you fail to resolve the
issue within the next 48 hours.

This will only take a moment, We implore you to resolve the issues
on your account immediately to restore access.

Resolve Here to complete the process.

Sincerely,
Lloyds Bank

I like it. Short and to the point. Log on and give us your money or we’ll close your account. Even though, as usual, we don’t know anything about you or your account… I really like ‘we implore you’: it’s always comforting when a scammer asks nicely.

Doomed!

At Lloyds, we take your security very seriously indeed. In fact
we've invested in a host of measures that help protect you
and your money

Recent transactions involving your designated accounts was revoked.

Follow the provided steps to restore your online access and to
review your account status

Online banking Log on

Sincerely,
Lloyds Bank

Eek! Revoked! I’m doomed. (I’ve been seeing a lot of these, but this one is enough to give you the idea…)

Browserbeaten

And one last shot across the browser from ‘Paul Riley’.

Dear Valued Customer

Thank you for choosing NatWest Online Credit Card Services.

At NatWest Credit Card Services we are continually making improvements to protect our customers from fraud, but there are also things you should do to ensure that your details are kept safe when using your card online. We ask that you always have the latest anti-virus software protection on whichever device you use to access NatWest Online Credit Card whether that be your laptop, pc or mobile. We also offer free 'Rapport' security software protection that works alongside your anti-virus software to give added online protection.

At NatWest Credit Card Services we have introduced new additional security measures and updated our software to protect our Online Credit Card Account users. The security update will be effective immediately and requires our NatWest Credit Card customers to update their access. Please click on "Continue" below to update yours today.

CONTINUE

Find out more
If you have any questions about using your card online, we're happy to help. Simply visit our Help 24/7 service.

Yours sincerely,

Paul Riley
Head of Credit Cards

Rapport, of course, is Trusteer’s banking-specific security software, which has been genuinely recommended and made available by various banks to their customers. Nice touch of circumstantial suggestion of good intent, and perhaps an indication of content scraping, but the real intent here is far from benevolent.

And finally…

At least for this series.

Dear Valued NatWest Card Customer

Due to too many errors on your NatWest Credit Card account.
Your access to NatWest Credit Card Online Services has been locked out. Please use the link below to unlock.

Unlock Your NatWest Credit Card Online Services

Please do not reply to this message. For questions, please call Customer Service at the number on the back of your card. We are available 24 hours a day, 7 days a week.

Happily, this has some major logical weaknesses that should alert most people immediately to what they’re looking at here.

  1. There is no personalization to prove they’re addressing a known customer
  2. There’s an inline link to a very dodgy-looking URL
  3. If you were in any doubt about this, you could check it instantly by going to a known genuine URL to log in, where hopefully you would be able to log in without a problem.

Some earlier papers on the topic:

David Harley CITP FBCS CISSP
ESET Senior Research Fellow