| The New York Times is reporting that the FBI indicted | | | | "runners" who would create accounts with the two |
| 53 people in three states and began arresting them for | | | | financial institutions where the victims' accounts resided. |
| phishing users' bank credentials and stealing their funds | | | | The ring leaders then could log in and transfer the |
| from Bank of America and Wells Fargo bank. | | | | funds from the victims to the runners. This attack was |
| The operation was dubbed "Operation Phish Phry" by | | | | not limited to account information; it also included Social |
| the FBI and included 47 individuals in Egypt as | | | | Security numbers and potentially other personally |
| unindicted co-conspirators. This was a large banking | | | | identifiable data. |
| fraud operation which was conducted at several | | | | The ring leaders would alert the runners through SMS, |
| levels. | | | | internet chat, and phone calls to withdraw the cash |
| It would appear that the phishing was initiated by the | | | | and Western Union it to them. They could then wire |
| Egyptians, who tricked users into supplying their | | | | the money to the Egyptians after taking their cut. |
| credentials through a phishing expedition. They cast a | | | | North American institutions have been among the first |
| wide net by choosing banks that have a nationwide | | | | to deploy online banking, and seem to be the last to |
| presence to maximize their ability to both collect valid | | | | secure these sites effectively. In fact several |
| logins and find people willing to assist in the fraud at | | | | American institutions are willing to send you account |
| local banks. | | | | information over Twitter! |
| SophosLabs has blogged before about banks that | | | | By embracing social media, banks and credit unions |
| allow logins with only a user ID and password. This is a | | | | are contributing to users supplying personal and |
| terrible security practice for financial transactions. | | | | financial information in places it simply doesn't belong. |
| Some banks are now offering to SMS you when you | | | | Encouraging users to be comfortable with controlling |
| attempt to log in and ask you to provide a detail from | | | | and communicating about their accounts on Twitter is |
| the text message. This type of two-factor | | | | absolutely a bad idea. |
| authentication would have stopped this attack. | | | | I sincerely hope the press this story is getting is a |
| The Egyptians provided the stolen logins to three ring | | | | wake up call for American financial institutions. |
| leaders in California. These ring leaders recruited | | | | |