HSBC Musician’s Friend Platinum – Phishing Invitation

Sometimes it seems like the credit card companies want you to be phished. Maybe they make more money if some phisher runs up a massive debt on your card and they stick you with the bill. Or maybe they’re just stupid. Either way emails like this one really irk us:

Subject: Reminder: Access Your Online Account

From: “Musician’s Friend Platinum Member Card” <HSBCRetailServices@email.hsbcusa.com>

First off, the subject “Reminder: Access Your Online Account” is almost a perfect phishing subject. If they had said “Confirm” instead of “Access” it would be exactly what we would expect from a phishing email.

The message body looks like this:

HSBC Phishing Invitation

Notice that the message is full of links inviting you to sign in to your account with HSBC. More importantly, none of the links display their destinations. What this means is that anybody who’s even remotely competent at phishing only has to do three things:

  1. Set up a fake site that looks kind of like the site that these links refer to.
  2. Copy this message’s HTML and replace the link destinations with URLs pointing to the fake site.
  3. Send out the fake message and wait for the login credentials to roll in.

To their credit, HSBC did make a couple of attempts at security. The part at the top right with the heading “Email Security” shows the full name and the last four digits of the account number. The message also lists the email address it was sent to and the last four of the account number again.

That’s pretty hard to fake right?

Well, finding the account number would be hard. The full name part would be in millions of databases and therefore not difficult to come up with. As far as the email address is concerned, if the phisher doesn’t have your address you don’t have to worry.

For the phisher, the simple solution to these careful security preparations is to leave the parts about the account number out. (So now they have to do four things. Ooh, how tiring.) Once HSBC has lulled the customer into trusting messages like the one above, the average customer receiving this email is less likely to pay attention to the details, thus making the phisher’s job easier.

So much for security.

We have two recommendations based on this email:

  1. For you. If you do receive emails like this from your bank (it doesn’t have to be HSBC) check the full name and account number, then look up the banks number on one of their statements and call and yell at them for making phishing easy.
  2. For the bank. Stop putting marketing ahead of security. Send emails without clickable links and if you must give the customer a URL do it as plain text. That way the customer can read the URL without clicking it and the phisher won’t be able to fake it.

Okay, we’re done venting for now.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: ,

Comments are closed.