HomeBlogsMatthew Davidson's blog

Training Customers to be Phishing Victims

Tue, 01/12/2009 - 7:56pm — Matthew Davidson

The good thing about being a member of a relatively small credit union is that you don't have to worry about phishing email. Customers of Chase Manhattan, Barclays, or even the Commonwealth Bank may have to second-guess every email that purports to come from their financial institution, but customers of - for instance - the Sydney Credit Union are too small a target.

That is of course unless their credit union makes them an easy mark.

From: "Philip Derham" <Philip.Derham@derhamresearch.com.au>
To: "M J Davidson"
Subject: SCU's Member-only survey and competition for ten by $100 Woolworths gift vouchers!
Dear Mr Davidson,

Please tell us about you and your home - and how loans for homes can make your home-life better!

This is your survey invitation!

I know what you're thinking. Two exclamation marks in two sentences...

As an SCU member, we seek your advice about your home and your home loans so we can provide more effective home loans and home-related financial products for you.

That's nice to know.

So please tell us about your home, home loans, home-life and your views about that, by completing this brief SCU members-only survey. Just click on the link below (or copy and paste it into your browser window). It may take a second or so to load but then moves quickly.

www.derhamresearch.com.au/survey/scuhomes.htm

To maintain your anonymity, we've commissioned an independent market research company (Derham Marketing Research) to undertake the survey and to report the results in total only.

Giving personal information to somebody I've never heard of equals anonymity in my book!

As a token of thanks for completing the survey, you can enter a competition to win one of ten $100 Woolworths Wish Gift vouchers. You can use these at any participating Woolworths and Safeway Supermarkets, Caltex Woolworths and Caltex Safeway co-branded fuel outlets, Woolworths Online, BIG W, Dick Smith, Tandy, Woolworths Liquor, Safeway Liquor, BWS, Thomas Dux Grocer or Dan Murphy's stores, if you are one of the ten randomly chosen winners!

Well, it's not quite a substantial percentage of the ill-gotten gains of a deposed Nigerian prince, but I suppose in these troubled times you've got to sound realistic.

Entry is voluntary and the ten winners will be chosen at random.

But hurry, the competition closes on Wednesday December 9, 2009 at 6 pm - so please click on the link now!

Hurry! Click on the link! Or we might run out of exclamation marks!

Of course the email includes the obligatory financial institution logotype in GIF format (CompuServe lives!), just to make it look more genuine to gullible little old ladies. But the scariest thing in this case is that despite all appearances this email is totally genuine and above board.

I'm around 99% sure about this. The give-away was that the sender email address wasn't spoofed. Why wouldn't you pretend to be phil.fatcat@financialinstitution.com? Unless it's reverse psychology...

And the Credit Union's site does report that there is an email forthcoming which "will contain a link to the SCU members-only survey". It doesn't say who will be sending that email, so a clever fraudster could find that web page and quickly spray out emails saying "Yes, valued SCU customer! That market researcher is me! Come to my website and tell me all about yourself!" The only thing that makes this unlikely is the sheer amount of stupid people on Earth, making the effort required to be that clever about defrauding people redundant. Also few of the Credit Union's customer's will have read that post on the website. So as I say, I'm 99% sure it's genuine.

On the other hand, if it's a genuine survey, why isn't it sitting on the Sydney Credit Union's website, or at least on their domain? The domain which by the way they recently changed from the utterly confusing sydneycu.com.au (what the hell has that got to do with the Sydney Credit Union?) to the much more sensible moregenerousbanking.com.au. (I can't even begin to speculate on the thought processes, salaries, and drug habits that went into that decision.)

The only plausible, and very scary, answer is that neither the Sydney Credit Union or their market research consultant have the technical know-how at their disposal to put some forms on the Credit Union's domain. Let me be very clear about this: I am not talking about anything to do with real security, not even the elementary end-to-end encryption or authentication provided by something as common as TLS. A significant Australian financial institution cannot even make it appear that a bunch of Web forms comes from their domain. They can't look as convincing as real fraudsters. Moreover they are quite happy encouraging their customers to give personal information to a third party.

The only thing distinguishing this email from a phishing scam is that no real phishing scam would be so transparent.

The Sydney Credit Union is training their customers to become victims of phishing scams.

Who is this third party? Well going by his website he's a middle-aged white guy with a suit and a weak smile. He's a dab hand with a hyphen, given that his "cost-effective", "respondent-considered", and "client-benefiting" services are "thought-through". He can't afford a web developer, or possibly his "research-based findings" have led him to believe he doesn't need one, so his website was made by himself (or an admin assistant, or a teenage relative) with a copy of Microsoft FrontPage.

The survey forms are entirely generated by some proprietary and heavily obfuscated client-side JavaScript (always a mark of quality) originally called Quask, now called PerfectForms. The guys who make this are obviously on the ball, because they have a Twitter account, a rather odd self-fan site, and a Wikipedia page that was deleted for being blatant spam. Mmm, classy.

Let me recap:

  • sydneycu.com.au suddenly became moregenerousbanking.com.au, establishing the precedent that a redirect to an unrelated, even utterly nonsensical, domain name while doing your banking is perfectly normal.
  • Your financial institution will from time to time invite other parties to email you. You should do whatever they ask.
  • You don't need any reliable evidence that these parties are connected with your financial institution. Heck, if they can make an on-screen keyboard leap about at random, give them your account number and password. Things leaping about mean security.

It's clear that you can't oppose this kind of stupidity; you can only use it's own momentum against it. So go to http://www.derhamresearch.com.au/survey/scuhomes.htm and fill in the forms. Randomly, or in any way that amuses you. Then clear your browser cookies and fill them in again. Write a script to do it every few seconds. If the survey was behind the same authentication required for Internet banking this sort of sabotage wouldn't be possible. Perhaps spamming people wouldn't be necessary if when you logged into do your Internet banking there was an unobtrusive "Hey, want to do a survey for prizes?" link.

Nah, too hard. You can't do that with Microsoft FrontPage.