We have noticed a lot of SMS-based web-phishing attacks in China targeting the Bank of China’s online users. They received a phishing SMS that is designed to look like it was sent by the bank as a reminder to its customers: “Dear user, your token has expired, please visit http://www.boc**.com to reactivate your token.” The URL is similar to the bank’s official website but points to a phishing site that looks almost like the original bank website.
On this bogus phishing website, there is a button on the top right that says “Upgrade your token.”
Once the user clicks this button, it redirects to a page that looks like the normal online-banking login page. The criminals will get all the info they need to steal money from the victim’s account: user ID, password, and token.
This information is used immediately to transfer the victim’s money into the attacker’s account before the token expires.
A lot of technologies–including tokens, certificates, dongles, etc.–are designed specifically to protect against phishing. But even though Bank of China uses tokens to enhance security, customers still need to take care to prevent this type of phishing attack.