Personal Information Security

Phishing for Banking Information, (Fri, Dec 27th)

It is again the time of the year when scammers are asking to verify banking information, whether it is credit cards, bank card, package shipping information, winning money, etc. Last night I received a text message to verify a credit card, it is case a Bank of Montreal (BMO) credit card.

From Bank of Montreal (BMO) website scam alerts, they uses a specific SMS number to send a text to their consumers: “The only BMO Alert you will receive on your mobile device via SMS regarding your accounts and credit cards will come from our 6-digit number “266898.” Our code never changes, so use this code to determine if it is BMO messaging you.” [1] It is important to know how a bank will contact your by SMS. This is a copy of the text I received.

Is it Phishing? Any Suspicious Clues that Stand Out?

  • The text I received was from a (438) area code and not from BMO, that is the first error.
  • The second error is the card number “Starting in 5510 29**” which normally is the last 4 digits of the card that appears on statements vs. the beginning.
  • The last clue is the website that contains spelling errors: bmo-securltyverlfy1[.]com [4] -> The website is spelled with the letter “l” vs the letter “i”. This domain was registered on the 2024-12-11 [5] just in time for the holiday season.

Reviewing Domain Information

This domain resolves to IP 34.155.192.52 (ASN 396982). A review of VirusTotal relationship information from this domain shows as of this writing, 81 domains [2] have been created since the 23 Dec 2024 under this IP address targeting Canada Post, Scotiabank, rebate information, etransfer, Costco rewards, etc.

Indicators

34.155.192.52
bmo-securltyverlfy1[.]com

It is important to review carefully the data before entering any information. Stay safe.

[1] https://www.bmo.com/en-ca/main/personal/security-centre/scam-alerts/
[2] https://www.virustotal.com/gui/ip-address/34.155.192.52/relations
[3] https://www.virustotal.com/graph/34.155.192.52
[4] https://www.hybrid-analysis.com/sample/c76cbf6e22734f177e024e1fee02ed17a53413e0dfee02c6a6601be28280b167
[5] https://www.scamadviser.com/check-website/bmo-securltyverlfy1.com?utm_source=hybridanalysis
[6] https://www.sans.org/security-awareness-training/

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.