Hello, welcome to the Tuesday, March 7th, 2017 edition of the Sands and a Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Today we got a guest diary by Renato Marino about a rather interesting and persisting fishing attempt.

Now, in this case, it all started out with the attacker

actually being able to register a typo squatting domain for the Brazilian Santana Bank. The fake domain

that they registered was only missing one single N. Now, the victim then went to the

mistyped URL and entered their username and password and possibly even a one-time password

token. But apparently this last step didn't quite work. Now typically these tokens are valid for a couple of minutes, so maybe the attacker wasn't fast enough in using the token,

or also possible that a second token was required to actually transfer money.

Well, either way the attacker actually called the victim and asked for a second one-time

password from this login token.

Now, the victim at this point got a little bit suspicious.

The attacker did try to convince the victim to give up the information by using data collected

during the initial login attempt.

The attacker apparently also had additional information, for example, about recent transactions,

the last four digits of the social security number of the victim, which were either collected during the initial

login attempt or using the initial token submitted by the user.

Lucky for the victim, the victim didn't actually fall for this phone call, but insisted in calling

the bank back at their published phone number.

That's, of course, what you always should do in a case like this.

Pretty good here by the victim to not fall for this final step,

because this is actually quite convincing if you have someone from your bank call you,

...