Date: 21 August 2003
References:
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2003.04 -- AUSCERT ALERT
Increase in fraudulent activity targeting users of
online banking and electronic payment sites
28 March 2003
===========================================================================
PROBLEM:
AusCERT has received a significant increase in numbers of reports
of scams targeting online banking[1] and electronic payment sites.
These scams are designed to fraudulently collect information along
the lines of the following from unsuspecting users:
o online banking logins and passwords; or
o full banking account details such as account name/id, full name
of account holder, swift code and BSB code.
o credit card details such as cardholder name, card number and
expiry date.
o full account and password details of other forms of electronic
payment or funds transfer (eg PayPal, Ebay)
The institutions whose customers are being targeted for these
scams include banks, on-line stores, on-line auction sites and
alternative electronic funds transfer sites (eg PayPal).
DETAILS:
Attackers are constructing mimic sites to lure customers of online
banking and other forms of electronic payments into accessing fake
sites rather than the original.
This is often attempted by:
o Contacting users by email and requesting them to either reply
to the email with their account login / details and passwords,
or fill in an enclosed form that will send the results to a
site under the attackers control.
o Contacting users by email and requesting them to enter their
account login / details and password into a site that is not
the real banking or electronic payments site of the organisation
that is supposedly requesting the information. This fake site
may resemble the original very closely in both layout and
function. The email can also be in html format and may be
constructed as such to present what appears to be links to
legitimate site that are in fact pointing a fake addresses eg:
<a href="http://www.fakebank.com">http://www.yourbank.com.au</a>
o Establishing a web site that resembles the original not only
in just appearance and function but also has a very similar
domain name eg where www.yourbank.com.au is the real site and
www.yourbank-bank.com is the fake.
o Contacting you in person and asking for your account login /
details and password.
IMPACT:
Users and customers risk suffering significant financial loss if
their financial details are stolen in this manner.
MITIGATION:
Protect your password and account details. Users should *never*
give out password or account details in response to unsolicited
requests via email or other forms. Users should *only* log in to
the appropriate financial institution's or other electronic payment
web site that has been verified as the legitimate site for that
organisation.
Banks and other electronic payment sites (on-line store and auction
sites) never request account or credit card details and never -
under any circumstances - request passwords via email.
Banks and other electronic payment sites take precautions to
ensure you know you are connected to their legitimate web site[3].
Banks and other electronic payment sites usually publish their
correct web site details in advertising brochures and other media.
The majority of banks and other electronic payment sites verify
the authenticity of their sites through the use of digital
certificates.
If the bank or electronic payment site uses digital certificates,
a small padlock icon will appear on the bottom of your browser.
Users can view the certificate of the site by clicking on the
padlock icon[3]. The details of the certificate should then appear
in a browser window that allows users to verify the identify of,
and the level of encryption being used by, the site.
In summary:
o Never provide account details and passwords by email
o Never provide account details and passwords in response to an
unsolicited request
o Ensure you are dealing with the correct site by checking other
forms of advertising media
o Check the site uses digital certificates [3] *and* that the
details of the certificate correctly identify the site and that
the certificates have been issued by a verifiable Certificate
Authority (CA). For further details please refer to the links per
reference [3] below.
REFERENCES:
[1] http://www.anz.com/securityib.asp
http://www.commbank.com.au/netbank/security_splash.asp
[2] http://www.anz.com/inetbank/security.asp
http://www.commbank.com.au/Netbank/Security/
http://www.national.com.au/Internet_Banking/0,,13473,00.html
http://www.westpac.com.au/internet/publish.nsf/Content/PBOB+Security+FAQ
[3] http://www.dcita.gov.au/Article/0,,0_1-2_1-4_14206,00.html
[4] http://www.dcita.gov.au/Article/0,,0_1-2_1-4_13811,00.html
[5] http://www.accc.gov.au/ecom2/checklist.htm
[6] http://www.accc.gov.au/ecom2/consu_info.htm#cyberspace
[7] http://www.aba.gov.au/internet/faqs/spam.htm#scam
[8] http://fido.asic.gov.au/fido/fido.nsf/print/online+banking?opendocument
- - ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPoagkyh9+71yA2DNAQFwYAP9G62Dj3sKGPsAQKtrqqb3LqW5jh4gy7Dt
mp3WsF5k0f2JZ25WHGAwz2NY4mUK8at1HHiaLNaBGDNpaa0Z+AOame6q4plUuzLD
/tFyfHURAYmFfG9h2wEl9kADwgsrkcZV3jdJIKv3G/ndKhj/ZD8BGSVd5Cu2y255
tCM2KFbBDlo=
=6m1l
-----END PGP SIGNATURE-----
|