New Phishing Scam alert

I received a quaint new phishing scam via SMS a couple of days ago, purporting to come from ING:

“You have just logged in on a NEW device. If this was NOT you, immediately go to: login.my-id-au . net”

login.my-id-au . net was a hyperlink, presumably to a site of the same name. my-id-au . net is registered in New York, with ownership details protected by privacy.org. I reported the site name as a probable scam to privacyprotect.org. It is now listed as registered under hostinger.com, a provider of web hosting services.

The format is different to other scams I’ve seen, and more compelling. The only giveaways are that (a) I don’t currently have an ING account; and (b) my-id-au . net is a distinctly dodgy sounding site name for a reputable company like ING to use.

This will likely be repackaged to appear to come from other household name brands.

12 Likes

I got almost the same text message from ‘ING’ two days ago, but with a different hyperlink:

“A NEW device has logged in successfully. If this was NOT you, immediately go to: client-menu . com”

Being a customer of ING it felt more genuine, but anything with a hyperlink raises my suspicions. So I checked my account, changed my access code and notified ING. The text I got from ING confirming my change of access code appeared on my phone in a different ‘conversation’ and addressed me by name.

8 Likes

A very well crafted phishing screen. Looks just like an ING logon screen I would assume, except none of the links work.
And even certified for HTTPS, with a valid certificate issued on Nov 3 signed by the open source ‘let’s encrypt’ organization.
Anyone with a registered domain name of any sort could get a CA signed certificate from that bunch for free with no actual checking done. It’s an automated process, but the cert only lasts three months.

3 Likes

I clicked the bogus link and Malwarebytes, Microsoft, and Firefox flagged it as dangerous / bogus. I have thus removed the hotlink from your post to inhibit the casually curious from accidentally visiting it.

5 Likes

Chrome flagged the link as suspicious too. But not when used with https://

I would think that Firefox, Edge, Safari, and others would be the same and accept the site as genuine given that ‘lets encrypt’ is the world’s largest security certificate signing authority.
Try it.

I suspect the web page creator needs a bit more knowledge in directing users to the secure protocol, rather than the unsecure protocol by default.

It used to be that if you saw https:// at the start of the URL or a padlock symbol, you could be confident that entering a userid and password was safe and secure.

No way these days. The domain name is all you have to go by.

2 Likes

It might be worth reporting to ING and Scamwatch. I report new scams I haven seem before or mentioned online to businesses used in the scam and to Scamwatch in the hope that it prevents at least one person getting scammed.

2 Likes

Good points. I reported it to scamwatch, but didn’t think to report to ING. Will report tomorrow.

3 Likes

https:// - this only indicates secure socket (or TLS aka Transport Layer Security) secure services. It doesn’t mean the latest version of TLS is necessarily used, only that the secure sockets layer is engaged for traffic encryption between the client and the web server.

It doesn’t in any way indicate the site accessed is at all safe.

2 Likes

PhilT, I didn’t mean to make any of those links clickable. How do name a URL without it converting to a clickable link?

3 Likes

If you enter a URL to a browser it will default to the HTTP protocol.

It is up to the website to specify what the protocol should be for the particular service they are offering. It could be HTTP, or the now more widely used HTTPS as more secure, or perhaps FTP, or FTPS.

Today’s browsers detect pages that contain input fields that could be userid and input and warn that the protocol used, if HTTP, is unsecure.

They also warn, if the protocol is HTTPS, and that requires certificate checking and key exchanging, if the certificate has a problem. Expired perhaps, or from a CA that cannot be verified.

2 Likes

Putting spaces before and after the ‘.’ and domain works.

ThisIsAnExample.com that DIscourse makes into a clickable URL but
ThisIsAnExample . com is not.

4 Likes

ING responded to my report of the scam and have, not surprisingly, confirmed the message isn’t genuine.

5 Likes

It is great that you took the time to advise ING.

It is worth reporting to the businesses in question as they can contact the domain registrar/website host to have the bogus/phishing websites shut down.

We have had a number of businesses we have reported scam emails to confirm that they are fraudulent, thank us for advising and also indicate that they will making requests to have the websites shut down. Shutting down the websites is the best way to protect others from that particular link in the messages.

3 Likes