Cheekiest banking phish mail of 2009 award

I often hear and read people mentioning that phishing emails are getting steadily more credible and it’s true. Criminals are investing more resources in making sure their phishing lures look as graphically and orthographically correct as possible in order to maximise their success rate.


Financial institutions suffer considerable losses year on year to this criminal endeavour and are increasingly deploying technology to help combat this fraud. One technique that is becoming more widespread (at last) is two-factor authentication. Banks provide their customers with hardware or software tokens that generate one-time codes to be used whenever money is being transferred. One of the oldest forms of this is a “code card” or “code sheet” this kind of technology has been in use in some European companies such as France and Germany (for Minitel and BTX banking ) even before the Internet and is still in use today.


Allied Irish Bank (AIB) started providing one time code cards to their customers back in 2005, making them early adopters in English speaking European terms. So it’s no surprise that phishing mails are also evolving to try to overcome these obstacles.


This afternoon I received an email supposedly from AIB informing me that my code card was about to expire

phish mail

AIB phishing email


This piqued my curiosity so I took a quick look at the attachment, only to be amazed at the bare-faced cheek (as my mum would say) of the phishers. Not only are they asking for my registration code, Personal Access Code and home phone number, but also all 100 of my code card digits!

Phishing mail input form

Phishing mail input form

It seems the phishers are relying on people’s lack of familiarity with these kinds of additional security systems in order for this attack to be successful. Hoping that the victim will think “Oh, my card is expiring so I need to use up all the numbers to get sent a new one” or something similar. This is, of course, not how it works.
Your bank knows when you are close to having used up all the numbers and will send you new cards automagically. You should never share the contents of one-time password sheets with anyone and make sure the sheets themselves are always kept in a secure location.
You know something else that really annoyed me about this whole phish? Would you believe it, these criminal types tell lies too! the phishing email promises that “The data submitted will be transmitted over an SSL encrypted connection (128 bit Secure Socket Layer).
One look at the code on the form tells me that ain’t true. I’ll never trust a phisher again. Neither should you.
Source code from phishing form

Source code from phishing form

One thought on “Cheekiest banking phish mail of 2009 award

  1. Pingback: Cheekiest banking phish mail of 2009 award » CounterMeasures « Jared Rimer’s Technology blog and podcast

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.