Every so often, there is a phish that stands out because of its brazenness. Today, we came across a bank phish that requested a few verification details:
Username and Password
Social Security Number
Email address and email password used for 2-Step verification
What was your dream job as a child?
Who is your favorite sports athlete or player?
What was the food you LEAST liked or DISLIKED as a child?
What is your favorite book/movie character?
What was the first album you purchased?
So, you know, just a few basic details.
The form was found at a Thinkific file subdomain. Thinkific is a service for crafting a customized education course. As there is a free tier available, it is ripe for abuse by attackers to spin up an account and quickly deploy phishing content. This is a problem with all free tier content hosts, so Thinkific isn’t being singled out. This phish was just detected yesterday (12/21/2021) so we expect to see the URL in question cleaned soon.
We reviewed the HTML code and found numerous references to SunTrust Bank, even though this form had the Hancock Whitney Bank logo on it. The relationship between these banks is unknown to us, but that isn’t really that focus on the topic at hand. We do give the attackers a little credit for attempting to give the page a semblance of a legitimacy by adding some disclaimer information at the bottom of the page.
It was easy to spot out where the data would end up. The HTML shows that the form will be submitted to a usebasin[.]com location seen at the bottom of the image posted below.
We followed that link to find it had since been cleaned.
Phishing scams are everywhere. They come in all different variations, and the tactics are often not new. The Hancock Whitney Bank example is clearly something you won’t fall for. But who knows, mistakes do happen. Anyhow, this phish does set a good reminder in how precious your private information is. If you have access to a password manager, then please us it. That way, you can make up random answers to security questions and save them to your manager. If you or someone you know happen to get bamboozled and had sensitive data phished, then at least the security questions only go as far as that one account and prevent attackers from gaining access to your other accounts.
If anyone asks for your email password that isn’t your actual email login page, then don’t share it!