Thursday, March 16, 2017

Follow up on the ScotiaBank phishing scam

When I last posted to this blog, the other day, I didn’t expect to see anything like the level of interest that the post generated.  There is one question I’ve been asked several times since, which I thought I would address in this post…  

Q. Is it possible to determine which ScotiaBank customers fell for scams?

The short answer is mostly yes.

The longer answer is it’s possible depending on a few factors, however I’m not going to publicly explain how to do this, as there’s a few issues here.  The biggest issue is simply that’s it’s not my data, and handling stolen data is illegal, so I’m simply not going to cross that line and I also refuse to enable anyone else to handle it either.  A second issue is that’s the bank’s job, and I’m not about to start giving out free IT help to banks…  

So what’s next?

The CCIRC were previously sent a much larger report on this issue, along with supporting proof of what historically goes wrong, when, and what was being missed.  I’ve already noticed that they've done some preliminary poking about based on it.   

We are now 2 days after my original post that said there is usually “ample warning” that a bank phishing attack is coming, and I'm now watching the same attackers' next site slowly coming together since the site was taken down yesterday.  

As you can guess, the CCIRC were notified this morning that the next scam site is now being readied.  I already gave the CCIRC the full list of 8 sites that I can see coming a few days ago, and so we’ve just checked off another one off that list. 

The current timelines are such now, that there are a clear five days of warning that this next scam is coming.  Now that I’ve successfully proved that the warnings are there if banks applies some common sense, the CCIRC is now in a position to monitor this next site from creation, to corroborate what I’ve been saying about the rest of the process in real-time. When the scam generates a signal on Twitter from customers reporting the scam in about 2 days from now, the stop-watch can be stopped when the site is taken down.  That gives outside observers like the CCIRC an idea of response times from when it’s first possible to know a phishing attack is coming to when a bank finally did something about it.  I’ve previously told the CCIRC that this can take as much as 12 days, but they need to see this for themselves and not just take my word for it.  Now they have that opportunity.