Phishers Spoof FDIC Site to Collect Card Info

An official-sounding e-mail, which touts a "new anti-fraud screening solution" and claims that most major U.S. banks are participating, takes users to a spoofed FDIC site and asks them to register their ATM, debit and check cards.

A phishing scam that appeared Thursday claiming to help protect consumers against debit-card fraud and identity theft has experts worried about the increasing skill and creativity of online scammers.

The scam, which takes the form of an e-mail message, falsely claims that the FDIC (Federal Deposit Insurance Corp.) has created a new program to track suspicious activity on accounts linked to consumers ATM, debit and check cards. The message contains an authentic-looking FDIC logo and directs recipients to a spoofed Web site that anti-phishing experts say is located in China. Representatives from the U.S.-based Anti-Phishing Working Group have been working with officials from Chinas CERT (Computer Emergency Response Team) to take down the fraudulent site.

The text of the FDIC message is well-written, apart from two small grammatical errors, and it plays on the current raft of identity thefts and other phishing scams as a scare tactic to entice recipients into visiting the spoofed site.

"In cooperation with your bank and other major American banks, the FDIC has developed a new anti-fraud screening solution. This is an effort to prevent the recent surge in credit, debit card fraud and identity theft," the message reads.

"The system is an advanced neural network that scrutinizes card transactions and ATM withdrawals to deliver a highly accurate risk score by analyzing the spending behavior of each cardholder along with the profile of each merchant and ATM. It will try to detect and stop any suspicious or fraudulent ATM, debit or check card activity.

"Register with our ATM, debit and check card protection program and you can use your card to shop online, in a store, or withdraw money at the ATM, and youll be fully protected from unauthorized use of your card or account information. With FDICs Zero Liability policy, your liability for unauthorized transactions is $0—you pay nothing!"

/zimages/2/28571.gifClick here to read about Symantecs new anti-phishing service.

The site to which the message directs recipients is virtually identical to the actual FDIC site and contains a further description of the fake protection program. The site claims that most major U.S. banks are participating in the program.

Once on the site, visitors are encouraged to register their cards.

"This is much better than the original FDIC scam and better than most of the ones we see," said Bill Franklin, president of Zero Spam Network Corp., based in Coral Gables, Fla., and a member of the anti-phishing coalition. "Its being blasted out there pretty hard. A lot of our accounts are seeing it."

Franklin said the quick cooperation of the Chinese CERT officials shows how much things have changed in recent months as officials around the world struggle to stop cyber-crime.

/zimages/2/28571.gifCheck out eWEEK.coms Security Center for the lat-est security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Be sure to add our Security news feed to your RSS newsreader or My Yahoo page