The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Thursday, March 23, 2006

Stolen iBill subscriber information used to generate custom phishes

Something new crossed my desk last night: Neil Schwartzman, a long-time anti-spam activist, reports that credit card and other personal information stolen from credit card processor iBill is now turning up in customized phishing attempts.

iBill first gained attention in the late 1990's as the credit card processor of choice for porn spammers. The problem became severe enough that they were listed by the MAPS RBL in 1998 and again in 2000.

Earlier this month, WiReD magazine reported that iBill had leaked seventeen million customer records. Leaked information included names, phone numbers, addresses, email addresses, logins, passwords, and even IP addresses. Indications are that this was an inside job rather than the work of an external cracker. The information is now available on the internet, being bought and sold in a spammers' and fraudsters' black market.

A later story in WiReD indicated that iBill was innocent after all: iBill president Gary Spaniak Jr. claims that iBill cross-referenced the stolen information against their own database and only found three matches out of seventeen million.

However, new information indicates this may not be the case after all.

Neil reports that on Monday he received a phishing attempt that contained personal information intended to convince him that the phish was legitimate. In this particular case however, the information had been tagged when it was submitted, and thus we know it could have only have come from iBill.

From: Bankone Online Security
Reply-To: Bankone Online Security
Date: Mar 20, 2006 9:35 AM
Subject: Online Activity Verification


We are committed to protecting you, with the latest technology to keep
your details secure, and dedicated teams to monitor online activity
and intercept any suspicious actions. And we do everything we can to
protect our online customers, but the steps we take can be much more
effective if you work with us to protect yourself.

03/20/2006 our security system detected an unsuccessfull access
attempt to your online account from Ip address that does
not correspond to your current address:

123 Main Street
Montreal, QC
H4A 2X7

Please click here to confirm your current address or change it online.

If you do not confirm your address until 03/23/2006 your account will
be SUSPENDED for security reasons and we will send you an Activation
Code by post which you will need to renew your online banking service
access. You will receive this within seven days if your current
address is not confirmed.


Bill Clark
Online Security Team
[Some identifying information removed.]

It could be hard for many people to resist a phish so directly targeted. It's important that the word get out before too many people get taken in.

Oh, and if you used the same login and password to sign up on that porn site that you used for your World of Warcraft* account, well, sucks to be you. That priceless +5 sword of smacking? Gone.


Anonymous Anonymous said...

This comment has been removed by a blog administrator.

9:27 AM  

Post a Comment

<< Home