Latest phishing scam most "devious" ever

Latest phishing scam most "devious" ever

Summary: A prominent anti-virus vendor has described the latest e-mail fraud scheme targeted at Westpac bank customers as the most "devious" the company has ever encountered.The e-mail, distributed en-masse to Westpac customers, represents the latest example of "phishing scams," designed to catch the unwary and fool them into divulging their online banking security details.

SHARE:
A prominent anti-virus vendor has described the latest e-mail fraud scheme targeted at Westpac bank customers as the most "devious" the company has ever encountered.

The e-mail, distributed en-masse to Westpac customers, represents the latest example of "phishing scams," designed to catch the unwary and fool them into divulging their online banking security details.

Typically, phishing scam e-mails appear to have been sent from the victim's bank, and contain a link to a fake version of the bank's Web site and instructions to log on to the site to verify their credentials with the bank.

Rob Forsyth, managing director at anti-virus vendor Sophos, believes that the techniques used by online confidence tricksters in the latest Westpac e-mail indicate the scheme is reaching new heights of sophistication.

According to Sophos the scammers have become better impostors, incorporating phrasing and wording into the email that the bank's customers would be familiar with from previous authentic advisories it had issued such as: "Westpac will never ask for your personal or login details by e-mail" -- even though it then proceeds to direct the reader to do just that.

The architects of the latest scam also adopted a more insidious Web re-direction technique to bamboozle victims than Sophos had ever seen before. Activating the link in the e-mail directs the victim to a fake version of the site but also opens an authentic copy of the site in a second browser window behind it.

The fake version of the site asks for the victim's account access details but returns an error message if he or she attempts to use it. The victim is then sent to the real site unaware that they've been duped.

Forsyth fears that the practice of phishing is at risk of being trivialised in the public's mind. He said that the malicious nature of the crime should be acknowledged.

"I think this is not just a scam like the Nigerian scam -- this is actually direct fraud and the perpetrators of the crime should be dealt with severely," said Forsyth.

Andreas Baumhof, chief technical officer, Microdasys, a German-based Internet security company specialising in Secure Socket Layer (SSL) technologies used to protect commercial Web transactions, is also concerned for the well being of online banking customers.

He said that advice given to the public is often wrong, pointing to a recent high profile case of phishing in the US involving ISP Earthlink.

Shortly before the scam the US Federal Trade Commission advised the public to look for an icon depicting a lock in the window of their Browsers when conducting sensitive transactions. The lock icon is associated with SSL Web security technology which involves encryption and security certificates. The FTC issued blanket advice that such communications were definitively "safe".

Baumhof said the advice was wrong and may actually have contributed to the Earthlink incident. In that case the scam's designers used encrypted SSL conections to direct users to their site but fraudulent certificates to persuade victims they were in the right place. Baumhof reasons that the FTC's advice gave the victims a false sense of security.

"You can only see that the session is encrypted but you can't tell who you're talking to unless you've verified the certificate," said Baumhof.

Meanwhile, Sophos said it had conveyed its concerns to the Australian High Tech Crime Centre.

Topics: Browser, Banking, Malware, Security, Enterprise 2.0

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Users who are naiave enought to get caught in scams like this shouldn't be using a computer.
    After all, you have to pass proficiency exams before you can drive a car or go scuba diving, why do we then permit inexperienced users to go blindly careening all over the web, frequently without anti-virus measures, regularly without a firewall, and all too often without a clue.
    These same users encourage spam, download suspect software then complain that it's the industry's fault.

    We should have licensed use of the internet, then problems such as identity theft, cracking, spam, viruses and scams would disappear.

    Big brother we need you!
    anonymous
  • Yes, we should restrict access to the Internet to the elite few! That way we can keep the plebs in their place...

    And while we
    anonymous
  • Exactly! And if we're going to sterilize them, why don't we just eliminate the excess while we are at it?

    Escellent idea...oh...wait, you were using sarcasm. Never mind.

    -AR
    anonymous
  • I have been phished by scammers representing themselves as eBay, PayPal, and AOL. I have, as advised by those entities, NOT clicked any URLs or opened any attachments, but have forwarded the messages to their hacker patrols for further pursuit.
    anonymous
  • Targeted Assassination
    anonymous
  • LOL at 'Experienced User's comments!
    Don't worry, these naive users will get their punishment by having the scammers/hoaxsters make a fool out of them, and possibly even charge them the contents of their bank account for the lesson.
    "More devious than ever?" The technique might be devious but the English used was atrocious! You'd think the scammers were trying to look professional enough that they might have used good grammar!
    anonymous
  • Scam the Scammers. I rec'd one of these phishing emails perporting to be from Westpac. I don't have a Westpac account so I can hardly be caught out in this case. So why don't I respond to the scam email and enter an invalid ID and password? If everyone did this then the scammers would not be able to identity the valid from the invalid except by trial and error. At least it would keep them busy for a while. :)
    anonymous
  • Scam the Scammers. I rec'd one of these phishing emails perporting to be from Westpac. I don't have a Westpac account so I can hardly be caught out in this case. So why don't I respond to the scam email and enter an invalid ID and password? If everyone did this then the scammers would not be able to identity the valid from the invalid except by trial and error. At least it would keep them busy for a while. :)
    anonymous