Customers of big banks, beware. You might be surfing the Web with a bull’s-eye on your browser. That’s because Internet scam artists have targeted the customers of large financial institutions for their nefarious efforts.
The technique used by the grifters is a cyberspace version of the old bait-and-switch tactic that in the Internet age could be called the “phish and spoof.”
Phishing entails sending bogus messages purportedly from a legitimate institution to pry personal information from customers by convincing them to go to a “spoof” Web site, a site that emulates a legitimate site but actually collects personal information from unsuspecting victims.
Right now, phishers use a shotgun approach to snare marks. They’ll e-mail messages under the guise of an institution to thousands of people in hopes that some of them will actually be customers of those institutions. That’s why they like mega-institutions, which increase their odds of success.
Banks baited by phishers in recent months include Citibank, Lloyds TSB Bank, NatWest, Visa, Halifax bank and Westpac bank.
Phishing expeditions against banks are “definitely on the rise,” Dave Jevans, chairman of Anti-Phishing.org, told TechNewsWorld. Anti-Phishing.org, whose members include financial institutions, banking organizations, technology companies and consulting firms, was formed to fight phishing.
“Since August, when the Australians got hacked pretty bad, I’ve noticed it trending upward a lot,” added Jevans, who is also a senior vice president at Internet security firm Tumbleweed Communications in Redwood City, California.
He noted that activity has been boosted by copycats who duplicate an official letter and use it to direct traffic to a site they’ve created for themselves.
“We are seeing more organized threats, and we’re finding some sites running multiple attacks — a banking one, an eBay one and something else — all at the same time,” he observed.
Countries where the banking industry is concentrated are attractive marks for the bunko artists. “The prime targets are countries where there are typically a smaller number of banks, which will make the odds of sending an e-mail to someone who might have an account at that bank much higher,” Jevans explained.
The United Kingdom, for example, has 18 banks. Australia has five, and Canada has a handful or less. “In the United States,” he said, “we’ve seen attacks against the major banks with millions of users or the major credit card issuers.”
Although at its crudest level, phishing requires a degree of gullibility by the guppies it fleeces, scams are getting more sophisticated daily, Jevans said. “There’s a lot of scams where you’d have to be gullible or not a good speller to figure it out, but it can be very hard to tell with some of the good ones,” he asserted.
In some cases, scammers will play to a victim’s distrust of e-mail, noted Craig Schmugar, a virus research engineer at McAfee Security in Santa Clara, California.
“Don’t send us an e-mail, they’ll say, e-mails are insecure,” he explained. Then they’ll instruct the victim to click a link within the e-mail message to go to a “secure Web site,” where they can filch the target’s personal information.
Life for more sophisticated phishers has been made easier by the recent discovery of yet another security flaw in Microsoft Internet Explorer. The flaw, first aired by “Zap the Dingbat” on the Bugtraq mailing list, allows scamsters to hide the true Internet address of a Web page on IE’s address bar.
According to an advisory from Danish security firm Secunia, the vulnerability is caused by an input validation error, “which can be exploited by including the ‘%01’ URL encoded representation after the username and right before the ‘@’ character in an URL.” The vulnerability, described by Secunia as “moderately critical,” blunts the effectiveness of a common antiphishing measure: eyeballing a URL for anomalous characteristics.
Microsoft hasn’t patched this latest tear in IE’s security and appears annoyed at Zap the Dingbat’s methods. “We continue to encourage the responsible disclosure of vulnerabilities,” the company said in a statement. “We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests.”