I received a quaint new phishing scam via SMS a couple of days ago, purporting to come from ING:
“You have just logged in on a NEW device. If this was NOT you, immediately go to: login.my-id-au . net”
login.my-id-au . net was a hyperlink, presumably to a site of the same name. my-id-au . net is registered in New York, with ownership details protected by privacy.org. I reported the site name as a probable scam to privacyprotect.org. It is now listed as registered under hostinger.com, a provider of web hosting services.
The format is different to other scams I’ve seen, and more compelling. The only giveaways are that (a) I don’t currently have an ING account; and (b) my-id-au . net is a distinctly dodgy sounding site name for a reputable company like ING to use.
This will likely be repackaged to appear to come from other household name brands.
I got almost the same text message from ‘ING’ two days ago, but with a different hyperlink:
“A NEW device has logged in successfully. If this was NOT you, immediately go to: client-menu . com”
Being a customer of ING it felt more genuine, but anything with a hyperlink raises my suspicions. So I checked my account, changed my access code and notified ING. The text I got from ING confirming my change of access code appeared on my phone in a different ‘conversation’ and addressed me by name.
A very well crafted phishing screen. Looks just like an ING logon screen I would assume, except none of the links work.
And even certified for HTTPS, with a valid certificate issued on Nov 3 signed by the open source ‘let’s encrypt’ organization.
Anyone with a registered domain name of any sort could get a CA signed certificate from that bunch for free with no actual checking done. It’s an automated process, but the cert only lasts three months.
I clicked the bogus link and Malwarebytes, Microsoft, and Firefox flagged it as dangerous / bogus. I have thus removed the hotlink from your post to inhibit the casually curious from accidentally visiting it.
It might be worth reporting to ING and Scamwatch. I report new scams I haven seem before or mentioned online to businesses used in the scam and to Scamwatch in the hope that it prevents at least one person getting scammed.
https:// - this only indicates secure socket (or TLS aka Transport Layer Security) secure services. It doesn’t mean the latest version of TLS is necessarily used, only that the secure sockets layer is engaged for traffic encryption between the client and the web server.
It doesn’t in any way indicate the site accessed is at all safe.
If you enter a URL to a browser it will default to the HTTP protocol.
It is up to the website to specify what the protocol should be for the particular service they are offering. It could be HTTP, or the now more widely used HTTPS as more secure, or perhaps FTP, or FTPS.
Today’s browsers detect pages that contain input fields that could be userid and input and warn that the protocol used, if HTTP, is unsecure.
They also warn, if the protocol is HTTPS, and that requires certificate checking and key exchanging, if the certificate has a problem. Expired perhaps, or from a CA that cannot be verified.
It is worth reporting to the businesses in question as they can contact the domain registrar/website host to have the bogus/phishing websites shut down.
We have had a number of businesses we have reported scam emails to confirm that they are fraudulent, thank us for advising and also indicate that they will making requests to have the websites shut down. Shutting down the websites is the best way to protect others from that particular link in the messages.