NAB customers phished from Sarajevo Airport

Phishers have launched an attack on customers of the National Australia Bank (NAB). The phishing e-mail attempts to direct victims to a hijacked section of the Sarajevo Airport Web site.

Phishers have launched an attack on customers of the National Australia Bank (NAB). The phishing e-mail attempts to direct victims to a hijacked section of the Sarajevo Airport Web site.

The e-mail contains a number of NAB logos and asks recipients to "renew services" on their account by clicking on a link within the message.

Joel Camissar, country manager for Websense, told ZDNet Australia that the Sarajevo Airport Web site has most likely been compromised in the same way that the Samsung Telecom Web site was hacked a few weeks ago.

He also pointed out that the e-mail contained a logo from security firm VeriSign, which may be enough to persuade some users into thinking the message was genuine.

"The Verisign logo would make it seem pretty authentic if the user wasn't aware that it could be a faked image," said Camissar.

Visitors to Sarajevo Airport's site do not seem to be at risk because the phishers seem content to effectively steal server hosting space and bandwidth to host and distribute their malicious codes.

A NAB spokesperson told ZDNet Australia that the bank took phishing seriously: "It's very important customers understand that NAB would never send them e-mails asking them to complete password details or personal details".

The spokesperson also suggested that the NAB's online customers should switch to the company's SMS authentication system, which sent an authentication code to a pre-registered mobile phone that must be entered into the Web site before certain transactions can be completed.

"No customer that has registered for [the SMS service] has experienced fraud -- since its launch in May 2005," the spokesperson said.

Currently about 10 percent of the bank's online customers were using the service, according to the spokesperson.

Adam Biviano, premium services manager at Trend Micro, told ZDNet Australia that an important message that banks do not seem to be emphasising was that you don't need to enter any details into a phishing site in order to be at risk. By exploiting vulnerabilities in the user's browser, users could find their computers re-infected by a Trojan by simply visiting a malicious Web site.

"The banks and financial institutions have concentrated their communications on never providing your details but users may be unaware that clicking on a link is all that is required to infect your computer these days," said Biviano, referring to the well publicised Windows WMF vulnerability, which was patched by Microsoft earlier this year as well as another recently discovered -- and as yet unpatched -- vulnerability in IE.

"Even if it is not targeting the latest vulnerability your browser may have, there are a significant number of vulnerabilities -- it is not just Microsoft [Internet Explorer] but could be Firefox or any of the less common browsers," added Biviano.

Last week, Messagelabs warned that user education may no longer be enough to fight phishing as many of the latest attacks were virtually indistinguishable from legitimate e-mails and Web sites.