Where it all started: my real bank asked me to do it
It actually all started with my real bank, the Crédit Agricole which is currently sending emails/reminder that I must upgrade my account with their latest security procedure (called Securipass). This will become mandatory.
So far that was just yet another item on my TODO list (i.e. I know I have to do, I will do it…).
This is important, because it sets a context. My brain was mentally prepaired to do this task (i.e. there is a cognitive biais to accepting a change). And that’s the beauty of it, without this context, I would never have done what follows…
Where I was lured…
This morning I received another reminder via SMS. I thought yes… my bank is hassling me to do that these days, let’s fix it now because it seems it becomes urgent as something will be deactivated and I have time for once :-).
Yes, looking back, this urgency should have triggered some alert (but this could have been real as well). Additionally, the syntax would be slightly different in a real professional message, notwithstanding the sentence is correct and there is no spelling mistake.
It basically says that I must quickly activate this securipass via a link to a URL.
Seeing it now, it is obvious, however the content is well built (no blatant syntax/mistake like most scammers):
- The name of the SMS sender “infoCA” pretty real
- The URL is made up of “securipass” and “ca” (derived from the bank name).
- It is registered as a .fr
And well - again - there is the context (my bank hassling me to do it for real), which affected my vigilance: that passed…
Of course, thinking twice afterwards, my bank would never send any link because there is an app for that and they actually said that they just never do that.
The scam website
The website is a clone of the original website. It first requires that I enter the local agency I depend on (so it does not cut to the chase).
Then I entered my ID (the real one stupid !) and token… I was not super confident actually.
This website acts as if it has to think a lot while it just has to write 2 strings in a file.
The fake two factor authentication
This is where things become ugly and actually well-engineered. A strong authentication (mobile based) is enforced with the real phone number of the bank.
At second look, there are a few hints that this is a scam this page (I spot 3, but I won’t tell here — don’t want to be proofreader for scammers). The most noticeable one is that there is no space between authentification and forte, others are more related to the syntax (i.e. correct but you would not say it this way on a professional website).
But overall this is good, you usually read quickly and stick to what matters: enter the code you received by SMS.
And I did receive codes, which I entered, these codes were received from the same phone number as the real codes from the bank during real operations.
Here, I was thinking hum (can’t say I did not have any doubt at all)… “this looks real.”
Next they asked me three to enter 3 times a code.
The last iteration said it sends it by email (in the website), which I never received so I entered the one from the last SMS…. It worked, but the scam started to become more obvious.
The scam became blatant, when it said I had to reactivate my credit card requiring tons of info (name/address/phone number/credit card details…).
After the page requesting credit card information, I was super skeptical at this point, but still not 100% sure. Of course, things are obvious when reading afterwards — let’s say I was 95% sure and needed to reach 100% as an old-school engineer — .
Of course, I first changed my token on my bank website :-)
Then I immediately started the enquiry by checking the real securipass URL (no ca) and see what it provides. If has basiscally all regular information you would expect from a commercial website with contact details of netops.
Then if you check for the scam… There is evidence that something’s really not cool is happening there (non public data, googledomains and date of creation: 1 month already: how can they survive that long ? )
OK so this is confirmed it is a spam. For fun, I tried to ssh the address… and I got SSH auth starting => LOL
root@sandbox:~# ssh securipassca.fr
The authenticity of host ‘securipassca.fr (22.214.171.124)’ can’t be established.
ECDSA key fingerprint is SHA256:uR+pXZoohwhytifRDxc58kxBhdEiAZY1GeOS1j9is/U.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘securipassca.fr,126.96.36.199’ (ECDSA) to the list of known hosts.
The network connection was aborted by the local system.
Next I reported the scam website for blacklisting. If you can’t access it anymore… that will be my fault, sorry for that :-)
First, I will just never ever click on any link received by SMS anymore.
Here this is just a good quality scam website (still as I said earlier not meeting professional quality but good enough to lure someone especially when you are distracted). I don’t think I was injected any troyan (actually I hope it did not happen), which requires a higher level of skills (here I would expect real professional quality web interface). I consider this as a friendly reminder.
Last week (before this occured), I actually did not click on a retailer SMS link telling me that my order was ready to collect for a few stuffs I ordered a month ago. I found the link too fishy with something like “https://l.mpass.link/1ws66dfqds” and did not click on it. Instead I called them. It appeared that the link was correct and they just have bad practice (no obvious name/URL).
What hapenned to me then ? Here the information (bank) is much more critical than the retail shop. Why did I enter information which I would be normally 100 times more protective this time ?
Again, they do much more than scamming: they leverage cognitive biases.
Lastly, I don’t get why there is not a better protection of the content received by SMS. It did not work for me, because as an IT professional, I am aware of these things, but I think a substantial fraction of the population can be easily deceived (2-factor auth with the same phone number again = “that’s my bank for sure”).
All in all, I learnt about myself today, so this was a good experience overall (hence the sharing :-)).?