By Andrew Colley, 4 March 2004 16:45
NEWS The latest email fraud scheme targeted at Australian bank customers has been described as the most "devious" ever encountered.
The email, distributed en-masse to Westpac bank customers, represents the latest example of "phishing scams," designed to catch the unwary and fool them into divulging their online banking security details.
Typically, phishing scam emails appear to have been sent from the victim's bank, and contain a link to a fake version of the bank's website and instructions to log on to the site to verify their credentials with the bank.
Rob Forsyth, managing director at antivirus vendor Sophos, believes that the techniques used by online confidence tricksters in the latest Westpac email indicate the scheme is reaching new heights of sophistication.
According to Sophos the scammers have become better impostors, incorporating phrasing and wording into the email that the bank's customers would be familiar with from previous authentic advisories it had issued such as: "Westpac will never ask for your personal or login details by email" - even though it then proceeds to direct the reader to do just that.
The architects of the latest scam also adopted a more insidious web re-direction technique to bamboozle victims than Sophos had ever seen before. Activating the link in the email directs the victim to a fake version of the site but also opens an authentic copy of the site in a second browser window behind it.
The fake version of the site asks for the victim's account access details but returns an error message if he or she attempts to use it. The victim is then sent to the real site unaware that they've been duped.
Forsyth fears that the practice of phishing is at risk of being trivialised in the public's mind. He said that the malicious nature of the crime should be acknowledged.
"I think this is not just a scam like the Nigerian scam - this is actually direct fraud and the perpetrators of the crime should be dealt with severely," said Forsyth.
Andreas Baumhof, chief technical officer, Microdasys, a German-based internet security company specialising in Secure Socket Layer (SSL) technologies used to protect commercial web transactions, is also concerned for the well being of online banking customers.
He said that advice given to the public is often wrong, pointing to a recent high profile case of phishing in the US involving ISP Earthlink.
Shortly before the scam the US Federal Trade Commission advised the public to look for an icon depicting a lock in the window of their browsers when conducted sensitive transactions. The lock icon is associated with SSL web security technology which involves encryption and security certificates. The FTC's issued blanket advice that such communications were definitively "safe".
Baumhof said the advice was wrong and may actually have contributed to the Earthlink incident. In that case the scam's designers used encrypted SSL conections to direct users to their site but fraudulent certificates to persuade victims they were in the right place. Baumhof reasons that the FTC's advice gave the victims a false sense of security.
"You can only see that the session is encrypted but you can't tell who you're talking to unless you've verified the certificate," said Baumhof.
Meanwhile Sophos said it had conveyed its concerns to the Australian High Tech Crime Centre.
Andrew Colley writes for ZDNet Australia. For more news from ZDNet Australia click here
Comments
There are 23 comments. Join the discussion
1. Dr Paul Margerison
Hi,
I received an email purporting to be from Barclays IBank and stating that due to previous technical difficulties they had to close the site but now I could go ahead and login. When I clicked the link the action you describe occurred i.e one window requesting my details and another window from Barclays. If I were a customer of Barclays I would probably have been duped. Barclays state on their website don't trust the page unless it has https which of course it had but it was called www.Barclays IBank.co.uk
2. Angus Doyle
Very devious I must say. What I would watch out for is a worm that could change the HOSTS file in Windows, therefore redirecting them to an IP address of the hackers choice. The user types in the address e.g. http://www.abbey.com and it goes to the fake site, the user will never know the difference until its too late. These Anti-Virus companies and even Microsoft should have some sort of security to ensure that no third party software can change the host file.
Making this information public is a risk I know, but these risks need to be fixed
3. José Luis Chávez del Cid
There is also a "Citibank" phishing scam version rolling out there!
I received it, the bank is in the United States, and I live in Guatemala, obviously it's something fishy there.
4. anonymous
Ok lets say you are a victim of phishing and you give your details away. Surely as we are talking about electronic transfer of any money you have, the banks can see where the money has gone and stop it from going or request it back. Or why not have a time delay where by if you transfer a sum of cash online you are emailed to ask if this was your transaction or if it was a fraudulent one?
5. anonymous
A colleague of mine recently had a similar e-mail which appearted to be coming from Citibank.
Who can these e-mails be sent to for further investigation ?
6. Iain Hunneybell
You're behind the times! This exact same technique of opening a genuine bank window at the same time as the scam/phishing windows was used against Barclays last week here in the UK - Fri Feb 27 to be precise. It also employed a technique of disguising the URL of the fraudulent page - although this no longer works with the very latest IE patch. The fraudsters are certainly getting smarter!
The point about 'inaccurate advice' is very well made. I've seen numerous people think that simply because they can see a padlock everything is okay and of course the means of examining a certificate isn't exactly 'Joe Public' friendly. This kind of advice most certainly is a false sense of security!
.../Iain
7. anonymous
I had a message yesterday purporting to be from Barclays Bank. The message was sent from some IP address in Hungary (0.98.93.129) which had a link to www.best-news.ru and that then went to a server at IP 202.150.192.12 (which displayed the CORRECT URL - ibank.barclays.co.uk except for "http" instead of "https")
This has links to the real Barclays site. I did report it to Barclays because I couldn't trace it far enough to identify the hosting firm. For all I know they may be blocking the traceroute path. I took another look today and will be asking Hostsave.com which hosts the domain to take a copy of the site and inform Barclays USA about the contents!
Site still working (though quite how the submission form works I am still unsure - I didn't enter anything!)
Just be warned that even the URL can be spoofed (I don't know how for that part either, unfortunately!)
The actual page (details found using Netscape v7.1 with the "page information" option) is at
http://ibank.barclays.co.uk%01@207.150.192.12/temp/superspt/1,,logon,00.php (ie 207.150.192.12 is the remote server) of course there's a chance that superspt.com's site has been "hacked" and they're an innocent party, but sending an e-mail (if they're involved) would allow them to claim someone else had done this... The domain was only registered on 03 March, and at present www.superspt.com seems to take you direct to the Barclays site.
Logged:
Headers for http://www.superspt.com/
HTTP/1.1 302 Found
Date: Fri, 05 Mar 2004 12:11:59 GMT
Server: Apache/1.3.26 (Unix) mod_mhp mod_mhp_log mod_virtcgi frontPage/5.0 mod_status_mhp
X-Powered-By: PHP/4.0.6
Location: https://ibank.barclays.co.uk/
Connection: close
Content-Type: text/html; charset=iso-8859-1
However http://superspt.com/1,,logon,00.php gives the Barclays form...
8. Clive Miller
Maybe developers of web browsers should be encouraged to show the certificate to the user when they access a secure site.
9. Virusbuster
Personal firewalls should be the way forward to protect against phishing. The latest release of ZoneAlarm allows you to input your eBay password and then alerts you if you are not logging onto a genuine eBay site. I think this is the way forward.
10. James Button
Is the only safe? way to always type in the web address -
The current list of warnings I have received include:
Dont use links in emails.
Dont believe in secure site markers.
Dont believe in certificates.
Dont use the x to close windows.
Dont rely on bank sites security.
Did I miss any -
Oh yes:
Dont rely on your system being secure if it's ever been connected to the outside world - and if it's been attached to the internet - Oooh could you be in trouble.
Dont give out security details if you are called by your bank
(well they said they had an offer to discuss and wanted to be sure who they were talking to - and when you called the checking number they gave their associate confirmed they were authorised to ask for your security details)
Dont let people know your email id.
Is it safe to even enter 'security' information through a PC
Dont let your debit/credit card out of your sight.
Dont let somebody scan your cards through a machine - unless you are sure the machine is only connected to the banks system - and not via somebodies PC under the desk
- How many people know your date of birth, and mothers maiden name.
Incidentally, is it safe to give somebody a cheque - that has your bank account details on it.
Looks like it's going to be back to the bag of cash under the bed.
11. peter stearn
As safe as putting your money in the bank?
Not any more it would seem.
As an average user I would have no idea if firewalls are active on my PC.
Also I can't be sure if rougue programs running on my PC are capturing keystrokes when entering passwords.
The safest thing in my view is to put your money in a bank that does not offer internet banking services.
I cannot be sure that sooner or later one these banks will not crash.
12. Graham Wharton
Fake Lloyds TSB emails are being sent
to me all the time!
13. Alan Clifford
I received one of these for Barclays Online Banking,they asked you to click on link and fill in details, the link directed my web browser to the actual Barclays website but also opened a pop up box with a replica of the online banking log on screen, i spoke to Barclays who instructed me to delete the e-mail
14. anonymous
There is a very similar Ebay/Paypal phishing scam going around.
15. Pat Mason
I had a new variant at home yesterday, in the form of an 'ON LINE ORDER CONFIRMATION' message, saying I had ordered a 42 inch plasma screen at $4,195. This was of course designed to make me panic and open a link to enter correct details or cancel the order. I knew I hadn't ordered it but when I checked the headers, there was a virus embedded in the message, caught by my AV package.
16. Disgusted
They get away with this because the banks and the police are not at all interested in pursuing them. I've forwarded these emails "posthaste" to the banks and police, and the response is dismal.
Try it yourself - you'll be amazed at the indifference. The attitude seems to be "it's your loss not ours" - quelle surprise!
17. Mark
How is this new?? its only the same techniques used by account "phishers" for years they may employ newer desguising techniques, but its a very tired and I supposed tried and test method.
I first saw mails like this about 10 years ago.
Frankly I am surprised anyone is dumb enough to fall for it.
18. SolCuerda
I have had over 60 of these scam emails in an account I only use for one purpose. It gets over 200 spam emails a week, I have never given it out to anyone except ONE website. Best thing is, I don't even have a bank account with ANY of these branches.
It's proof that the spammers have turned ugly, and are now using even more fraudulent means to get your money. I just hope they are caught and then kicked to death.
19. tim bain
I have had a dozen of these bank scam emails, but seem to be getting the same thing now from my ISP ( or seeming to be), and this contains a virus in an attachment.
The wary or savvy will see this, I wonder how many poor souls won't though?
Maybe organisations should be making it clear what their policy is to customers. WE NEVER ASK FOR YOUR DETAILS IN EMAILS.......WE NEVER SEND ATTACHMENTS etc. One mass mail and everyone is clear, they aren't shy doing that for advertising services.
20. tim bain
I had a scary experience in a yahoo chatroom related to this.
I was wasting time chatting with web design mates, and got a message from a guy asking about making website forms. Thinking it was some homepage form, I offered him a PHP form I had handy to edit, and some help doing it. "No", he said "I want it like this one"........and he directed me to a porn paysite form for signups.
"Exactly like that one, same images and everything.....just a different email address." I explained the images were copyright etc. but he went on to expain what he intended.
He was going to penetrate the porn site ftp account, substutute his fake form for theirs and go on holiday with the credit card accounts he harvested that way. He also offered me "whatever I wanted" for helping him with the form.
I have absolutely no doubt he had the knowhow to substitute the form, as he explained it in great detail. I have no doubt he did it anyway despite getting no help from me.
So next time you fill in your details on a form.......remember he is still around and so are many like him.
21. anonymous
Best to bank with a bank with fewer customers then as it's less likely to become a target.
That goes for ISPs with spam, Cars with car theives etc.
Basically, don't be your average joe public.
Didn't people used to use the same principle 20 years ago to harvest usernames and passwords from unix terminals?
22. Les Kirschner
Date: Mon, 12 Sep 2005 18:19:30 +0800
To: paper_tigerau@yahoo.com
Subject: Unauthorized Account Access Bank of Oklahoma
From: "OnlineBanking" <accounts@bankofoklahoma.com> Add to Address Book
Dear Bank of Oklahoma customer. Please read this message and follow it's instructions.
Unauthorized Account Access
We recently reviewed your account, and we suspect an unauthorized ATM based transaction on your account. Therefore as a preventive measure we have temporary limited your access to sensitive Bank of Oklahoma features.
To ensure that your account is not compromised please login to Bank of Oklahoma Internet Banking and Investing by clicking this link <http://209.132.69.142/~barb/OnlineBanking/>, verify your identify and your online accounts will be reactivated by our system.
To get started, please click the link below:
<https://onlinebanking.bankofoklahoma.com/OnlineBanking/login.aspx?ReturnUrl=%2fOnlineBanking%2fDefault.aspx>
<http://209.132.69.142/~barb/OnlineBanking/>
Important information from Bank of Oklahoma. This e-mail contains information directly related to your account with us, other services to witch you have subscribed, and/or any application you may have submitted.
Bank of Oklahoma and its service providers are committed to protecting your privacy and ask you to send sensitive account information through e-mail.
<------------------------------------------>
I'm in Melbourne, Australia, and they can't even use a spell check ! :-)
Regards,
Les Kirschner.
paper_tigerau@yahoo.com
23. anonymous
We have just received a similar e mail from "First Bank" with a direct link to complete a form with "updated details". I know we have never had anything to do with "Firstbank". Suspicious? How do I get this checked out, please?