CommBank cops sustained online fraud attack

[Kane Lightowler <kanelists () gmail com>]

More and more Australian base phishes each day. Would be an interesting
statistic to plot a phish per capita statistic seeing though we are getting
hit massively in comparison to our 21million population count. I guess our
seemingly mature online banking infrastructure makes us a good fit target.
In this instance they have also combined a vishing excercise.



 CommBank cops sustained online fraud attack
http://www.smh.com.au/articles/2009/06/02/1243708447679.html



Commonwealth Bank customers are being inundated with phishing attacks, some
at a rate of several scam emails a day, sent by cyber criminals seeking to
steal passwords and credit card details.

The scammers, who are specifically targeting the bank in a sustained
assault, are bombarding customers with several clever variations of the
email ruse - such as using bogus call centres - in an attempt to hook even
tech-savvy web users.

The emails have largely managed to evade spam filters using methods such as
images instead of text.

Commonwealth Bank spokesman Steve Batten said the bank was working closely
with the Australian Federal Police's Australian High Tech Crime Centre to
track down the scammers. However, the bank appears to be losing the war.

"As soon as we close them down they are opening up elsewhere," Batten said.

This is backed up by figures from the Australian Payments Clearing
Association, which reported a 33 per cent increase in both the volume and
value of fraudulent online payments in Australia for the year ended December
31, 2008.

The scam emails, which look authentic and include the Commonwealth Bank's
logo, try to trick the victim into handing over sensitive information by
telling them they need to unlock an account, activate a card, claim a fee
refund, update internet banking details, view an important security message
or complete a survey in exchange for payment.

When the victim clicks on the link in the email, they are either infected
with a password-stealing virus or presented with an official-looking page
that asks them to enter their details, which are then harvested by the
fraudsters.

Batten said some of the emails purport to come from actual Commonwealth Bank
staff members. He stressed that the bank would never ask customers to submit
sensitive information over email.

But in a new variation on the traditional "phishing" attack, which usually
asks victims to click on a malicious link, one Commonwealth Bank scam email
asks customers to call a Queensland phone number in order to redeem a $500
"cashback bonus".

IT contractor Tom Howard, from the Central Coast, received the email and
attempted to call the number just as an experiment.

"It's an automated system with an American accent that welcomes you to the
Commonwealth Bank of Australia and then requests an account number or says
something's expired and asks for your credit card number," he said.

The voice recording then requested Howard's expiry date and pin number, but
he just entered in random digits.

"It actually told me the information was incorrect, which suggests that it's
hooked up to a payment gateway and it's actually trying to do an
authorisation on the credit card right then and there," he said.

Howard said he was alarmed at the sophistication of the scam and believed
the bogus call centre idea would trick a lot of people.

"People have been conditioned in terms of these phishing emails to 'don't
click on the links', but not so much to 'don't call the number'," he said.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.