Phuket live wire: Beware the SCB phishermen

PHUKET: I have been saving up accounts of online fraud directed at people in Phuket, and my inbox is groaning under the weight! Here’s my latest crop of scams you should know about. Hopefully, if you realize other people are getting hit, there’s less of a chance that you’ll lose your shirt to one of these charlatans.

The most convincing scam I’ve seen recently is a phishing expedition directed at Siam Commercial Bank customers. I don’t think the bad guys harvested any email addresses directly from SCB (although that’s certainly possible). My guess is that they found a whole bunch of email addresses – probably on a spammer’s list, where email addresses cost about US$10 per million – that come from domains based in Thailand. So if you have a @loxinfo.co.th address, for example, or a @phuketgazette.net address, you’re more likely to get hit by this phisher.

It’s only a guess, but it wouldn’t surprise me if these people correlated email addresses to countries, then dropped in the name of the largest bank in the country, when constructing their phishing message. The whole process could be automated pretty easily.

In spite of appearances, the link in the message does not go to scbeasy.com. Instead it goes to a page at new 11010scb.com, which is a site hosted in the US. The whole web site is offline now, undoubtedly taken down by the authorities.

By the time I got the message and clicked on the link (don’t do this at home!), both Firefox and Chrome put up warnings saying that it was a phishing site. Internet Explorer 9, on the other hand, sailed ahead to an ad (in Thai) for the iPhone 4S. Bravo to Firefox and Chrome. Raspberries to IE 9.

My guess is that the site was a simple phishing site – in its original incarnation, it probably asked you to provide your SCB account number and password or PIN.

Professional scammers who put up sites like this only leave them up for a short time – they collect credentials for a dozen or two dozen valid accounts, then fold up their tents quickly, to avoid detection. If they’re good, they’ll have the money out of the accounts in an hour or two, by using nearby ATMs, or online transfers to an account that’s very hard to trace.

This kind of scamming is quite different from the 419 scammers I discussed last month. Their method is slow and relatively easy to track. Phishing for PINs, by contrast, is very fast, and the biggest exposure is the camera at the ATM machine, or the money trail for electronic transfers.

The person who received the message sent me the email and I put it through the analyzer at iptrackeronline.com and discovered that the message probably originated in rural Kansas, USA.

So either the person who originated the message was smart enough to hide its origin (which is possible, but beyond the skills of your typical scummy phisher), or they were in rural Kansas, or they were using a Virtual Private Network to make it look like they were in rural Kansas – in which case they could have been anywhere in the world.

I also tried running a whois.net search on new11010scb.com, but couldn’t find the registration record for it. So I came to a dead end. No doubt the scammers tricked a handful of people in Thailand. Since I haven’t read of any arrests, chances are good they got in and got out fast enough to elude detection.

It bears repeating: as far as I know, Thailand does not have any consumer protection laws that will help you get your money back if you’re phished like this.

Before you start clucking about “This is Thailand,” realize that a court in Germany just last week determined that banks don’t have to reimburse customers if they were duped similarly. In Germany, if you give away your password – even if you think you’re giving it to the bank – the bank has no liability whatsoever. So, too, Thailand.

A note about a different scam, this one is a variation on the 419. A friend forwarded the message (below) to me from a man who claimed to be from Nicosia, Cyprus.

We went back and forth a bit and he directed me to a perfectly legitimate website, which he had hacked to include a “sign on page” that requested an email ID and password.

I contacted the website’s owner, who was surprised that the page had been taken. The page owner kicked him off, so the scammer had the audacity to direct me to a different page, again on a legitimate site, that he had taken over. This page said he wanted diesel engines.

In the end, it looked like he was most interested in my email address and password, although I imagine he would have offered to buy some diesel engines if I had them, no doubt using PayPal and a “shipping agent” that had to be reimbursed via Western Union.

Be careful out there. These scammers are targeting people here in Phuket, and some of them are pretty good.

Seth Bareiss holds computer sessions every other Wednesday afternoon, from 1:00 to 3:00. If you have a Windows problem that needs to be solved, drop by one of Seth’s free afternoon sessions, or come to one of our free Sunday morning roundtables at Sandwich Shoppe Chalong. Details in the Events Calendar. Sponsored by the Phuket Gazette and Khun Woody’s Sandwich Shoppes.

Live Wire is Phuket Gazette columnist Woody Leonhard’s weekly snapshot of all things internet in Phuket. Shoot him mail at Woody@KhunWoody.com, follow him on Twitter, @PhuketLiveWire, or “like” his page at facebook.com/SandwichShoppe.

— Woody Leonhard