Crime gangs go phishing in Australia

In what is believed to be the result of organised crime gangs moving into the space, the number of fraudulent e-mails phishing for bank details has escalated sharply over the past few weeks, ="http: www.zdnet.com.au="" newstech="" enterprise="" story="" 0,2000048640,20280273,00.htm"="" target="_blank">prompting the U.K. police to warn companies of the danger of having their identity "stolen".

Phishing involves sending out spam that purports to be from a particular company, informing people that they need to click on the link included in the message and enter their account details or risk dire consequences. Some e-mails claim the details need to be updated or access privileges will be lost, others claim that the account has been compromised and the details need to be entered for "security".

The fraudsters use sophisticated techniques such as grabbing real graphics from the banks' Web site to make the e-mail look authentic and disguising the hyperlink so it appears to point at the legitimate site when it really points to a fake one.

The majority of the scams originate in Russia and China, according to Paul MacRae, business development director of e-mail services company MessageLabs. The Chinese operation was shut down, but was recently started up again.

MacRae said that over the last one to two weeks four out of the five major Australian banks have been the victims of phishing. The latest victim was Westpac, while the ANZ and the NAB were targeted last week.

eBay and PayPal have also been victims of the scam, while other spam messages claim "Your credit card will be billed at US$22.95 weekly and free 3 pack of child porn CD is shipping to your billing address" before indicating that people can cancel the order by e-mailing their credit card details to the company.

Companies are loath to reveal how many of their customers fall victim to the scam. Westpac Australia told ZDNet Australia   it was not planning to reveal the number of its customers that were tricked by the recent e-mail, but the New Zealand press are reporting 200 New Zealanders were affected by e-mails targeting them.

Banks and other organisations are attempting to fight back, with Westpac launching a publicity campaign recently, and several tech giants including eBay, Amazon, Visa and Microsoft forming a coalition to fight the problem.

St George Bank spokesperson Rebecca Taylor told ZDNet Australia   that the bank was lucky because it wasn't the victim of the first phishing scam, so when a scam was aimed at its customers the bank already had contingency plans in place.

This included notifying customers as soon as the bank became aware of the scam, and "looking at what type of transaction might result from this type of fraud" and monitoring for those transactions, according to Taylor.

MessageLabs offer a paid service to financial institutions called 'Ghost Watch', which monitors for suspicious e-mails and alerts the institution to the problem. MacRae said the faster the site was removed the fewer people could get fooled. The new service is headed up by David Banes, formally Regional Manager for Symantec Asia Pacific.

"If we see something unusual that looks like a ghost [fake] site we ask the owner of the data permission to warn the victim of the scam," said MacRae. Most of the scams are sent out as spam, which trips the filters at MessageLabs. The company then asks the recipients of the spam for permission to forward it to the victim. Most organisations agree for the e-mail to be sent, of course.

However, it appears inevitable that the phishing scams will continue to become more sophisticated until the e-mails are virtually indistinguishable from legitimate communications to the average user. The best way to combat the problem is to educate users not to respond to the e-mails no matter how legitimate they appear.

"Anyone who receives any e-mail that links to a site asking for personal information should exercise caution," warns eBay. "In the same way that you never tell anyone, even the bank teller, your PIN number, you should always protect your private information including passwords."

Another way to ensure the legitimate Web site is accessed is to open up a new browser and type in the address.