Bank of America, Wells Fargo, and Key Bank are among bank accounts being phished, SMiShed and vished by scammers who are sending SMS text messages to users, directing them to call hijacked Holiday Inn Express phone numbers which the scammers have disguised to make them sound like automated banking systems. So far this current crop has happened primarily in the Houston area.
SMiShing is simply phishing via SMS, and vishing refers to luring users into making a call to an automated voice system which in turn is spoofing the institution being targetted, prompting the user to enter confidential information
One of the hijacked Holiday Inn numbers is 281-866-0500 (832-237-899 was also compromised), and when you call that number, you reach a computer-generated recording that starts with “Thank you for calling Key Bank. A text message has been sent to inform that your debit card has been limited due to a security issues.”
You are first asked to identify yourself with the last four digits of your debit card. Of course, after that, you are prompted to enter all sixteen digits of your debit card.
In an interview with security researcher and writer Bryan Krebs, NumberCop CEO Jan Volzke explains that “Two separate Holiday Inns getting hijacked in such short time suggests there is a larger issue at work with their telephone system provider. That phone line is probably sitting right next to the credit card machine of the Holiday Inn. In a way this is just another retail terminal, and if they can’t secure their phone lines, maybe you shouldn’t be giving them your credit card.”
As always, the primary take-away here is never trust a message, email, SMS, or other, that requires you to take action directly, rather than securely logging in to your account. The social engineering twist here is that the text message urges you to call in to your bank, which makes it seem pretty secure, and relies on users not knowing the actual phone number to their bank, so as to be able to recognize the scam. So, the secondary take-away is to be ultra-alert and careful.
And finally, the third take-away is that there is something to be said for a plain old telephone service (POTS) line, which is far less hackable (although not impossible to hack) than digital and VOiP systems.
|Get notified of new Internet Patrol articles!
You might also like some of our other articles: