UPDATE: The host of Roots Messenjah Records informed me that he’s deleted the bogus BofA website and wasn’t aware of its existence on his server. Not an uncommon situation most likely, but something that other website admins should take note of. Keep your FTP info secure.

---

Yes, times are indeed tough and outsourcing is the the way of the future. Bank of America is riding the the crest of this wave by turning over it’s online banking service to a website concentrates on selling reggae music. Now that’s versatility!

Or maybe it’s just time for another round of Spam Critic!

It’s amazing what you come across during an occasional perusal of the auto-trash spam folder. Today a very earnest message from bankofamerica@security.com landed there with the subject line: “Security Banking - Update Your Bank of America Information.”

All right, first off, props on the subject line. Everything is spelled correctly and it carries the weight of officialdom. Most of the banking public would pay attention to this one. And also the email address looks spot on: bankofamerica@security.com.

There are, of course, all sorts of high-falutin ways fake an email address, but if you want to see how easy it is, go to Dead Fake Dot Com and send one of your best friends (who happens to be mail and between the ages of 18 and 25) an email from draft@sss.gov that says something like: “dear XXX, this email is to inform you that in the next three to five days you will be receiving in the mail your orders to report to your nearest Army recruiting office to be inducted into service in Iraq. WE NEED YOUR BLOOD! MUHUHAHAHAHA!!”

Easy peasy. So, with a good official-looking start, lets look at the text of the message:

For your security, access to Online Banking has been locked because the number of attempts to sign in exceeded the number allowed. To regain access, you must reset your Passcode. Please visit
https://sitekey.bankofamerica.com/cgi-bin/sas/enrollWithDebit
Card.do?state and update your information.

Your security is important to us. If you are not aware of this situation, please contact us immediately at 1.800.933.6262.

This alert relates to your Online Banking profile, rather than a particular account. The account listed here is for verification purposes only.

I don’t know about you, but they had me at “sitekey,” a part of BofA’s web nomenclature. I don’t care that the X-spam Report in my mail application tells me it was flagged as spam as “Forged mail pretending to be from MS Outlook,” I’m clicking that link. Aesthetically, the email looks pretty swank as well. Graphics swiped directly from the site. Fonts, color schemes, etc. are all plausible. The url is a little squirrely for the situation (why would I need to enroll with a debit card to a bank I already belong to?) but sometimes urls don’t make any sense. Many banking urls contain a mega-long alphabet soup.

So, clicking the link takes us to a very realistic log-in page. I just want to feed it my information. I want to tell it everything about my banking habits. And I can. Instead of logging in as myself, I decide to use the user name “hey_spammer” and the password “you_manually_masturbate_chimpanzees.” I doubt there are really any Bank of America customers with that particular login and password combination, but if there is, I apologize for publishing it here. The point is, it worked. So did anything else I put in, for that matter. Of course, it has to because the person who made this page is phishing for your details. Still, it’s a flaw that shows this is not the real deal, but one that many could overlook if they just “log in” with their real information the first time around.

The result is another very snazzy creation of a Bank of America-looking page. Here’s what it looks like:

Again, another very realistic page that I’m sure some sucker is filling out right now. So where’s the big flaw? It’s right in front of your eyes if this is what’s on your screen, but I do wonder if people pay attention sometimes. It’s the url. You’re not at anything hosted by bankofamerica.com, but rather at http://rootsmessenjah.com//images/banner/cgi-bin/us/repution/
bankofamerica.smallbusiness.checking/Online-Banking-Directory/
e-online-banking/. Let’s take off everything after the .com and see what we get:

It’s your friendly neighborhood online dancehall, reggae roots & dub specialist store, Roots Messenjah Records, of course, dishing up the classic Bob Marley and Peter Tosh favorites as well as all the online banking needs of one of the US’s biggest commercial banks. Or, well, it seems that RMR just has the one offering at the moment: Elephant Man, so maybe it’s transitioning over to other business models until it gets more inventory. I’ve sent the Roots Messenjah admin a message about Bank of America squatting on one of her/his servers. No reply as of this writing.

The lesson is in this episode is so simple that lassie could bark it to little Timmie, though: Read the url before putting your bank info into a random form that some email tells you to. Or ignore it and don’t bank online. Or, don’t bank. More on that some other time, when we discuss life off the grid.

Bank of America scam spam gets some top marks for authenticity. Low marks for url masking.

End of report.

Tags: bank of america, online scams, spam

Browse Timeline

• « Hidden Histories: Honoring Local Native American and Palestinian Struggles
• » Which sweatshops would Jesus use?

Related Entries

New Music Video Features "Eyes Wide Open" Boots...One of my West Bank photos is the current logo for this organization’s website...Bush will attack Iran for Israel...BoingBoing now hosted by D3...Lee Iacocca: turn off your damned iPods for a second and throw the bum out of the White House...

Comments (1 Comment)

Add a Comment