Hackers ply new tactics against banks, business customers

Social engineering attacks — also known as phishing and spear-phishing — are on the rise against banks and their corporate customers. The stakes are high and rising for both. 

50% of phishing victims respond to the scam within an hour, 90% within 10 hours

Phishing is thriving on the ignorance of the Internet users as half of the victims respond to the fraudulent emails within an hour of the receipt of scam messages, according to a study by transaction security firm Trusteer. The statistics shows that within 5 hours 80% of victims have responded with the figure raising up to 90% within the first 10 hours of an attack.

The statistics stresses the urgency for the fight against fraudulent websites that attempt to hoodwink the unwary into handing over online banking credentials or similar sensitive information.

Banks and information security suppliers need to work together to identify, block and take down scam websites as quickly as possible or else the damage may already be done.

"The fact that so many internet users visit a phishing website within such a short period of time means that blocking a phishing website – which is sometimes a cracked legitimate site – within the [first] golden hour has become absolutely critical," Trusteer chief technology officer Amit Klein said. "Blocking a phishing site after five to 10 hours is almost irrelevant."

Phishing scam using the US tax system as bait - McAfee

Security researchers at McAfee have reported a new phishing scam targeting users of the US Department of Treasury's Electronic Federal Tax Payment System (EFTPS).

According to McAfee, phishers were seen using the free tax payment service as bait this week in a new round of e-mails.

The e-mails have the subject line "Your EFTPS Tax Payment ID has been rejected," and claim that the recipient's tax payment did not go through due to an invalid ID number. Victims are then directed to a phony Web site for more information.

"If you receive one of these messages claiming to be from the EFTPS or IRS, don't open it or click any link," blogged McAfee's Felix Martinez. "It's safer to manually type the URL (web address) instead of clicking a link. To verify whether a government or financial institution is trying to contact you, call that agency."

UK Police arrest six over phishing scam

The Metropolitan Police's Central e-Crime Unit (PCeU) has arrested six people accused of phishing the details of more than 20,000 online banking and credit card accounts before using the information to steal millions of pounds.

Over the last few days the PCeU, working with the MPS Territorial Support Group and the Irish Garda, has executed five search warrants in London and an address in Navan, County Meath, Ireland.

The raids resulted in five men and one woman being arrested on suspicion of conspiracy to commit online banking fraud and Computer Misuse Act offences. All six are now in custody in London.

The PCeU says the arrests are part of Operation Dynamophone, an investigation into a network believed to have systematically obtained large quantities of personal information, such as online bank account passwords and credit card numbers.

The gang is believed to have acquired the information through phishing, sending large quantities of unsolicited spam e-mails, directing victims to spoof Web sites purporting to belong to legitimate banks.

Police enquiries suggest more than 10,000 online bank accounts and 10,000 credit cards have been compromised. The crooks attempted bank account take-over fraud worth £1.14 million, with £358,000 stolen successfully, say authorities.

Detective Inspector Colin Wetherill, PCeU, says: "A great deal of personal information was compromised and cleverly exploited for substantial profit. By disrupting the operation we have hopefully prevented further loss to individuals and institutions across the UK.

Crook versus crook

In a new turn for the books a pair of cybercrooks has posted a phishing kit on hacker forums that lets them steal the data gleaned by those who download and use it, says security operation Imperva.

Imperva says the phishing kit helps crooks set up fake sites purporting to belong to organizations such as banks to dupe personal and financial data from victims.

However, unknown to these hackers, the creators of the kit use a built in back door to harvest all the credentials. While the proxy crooks may find some success before their phishing sites are closed down, the masterminds gets everything without needing to conduct an open campaign.

The cloud-based approach of the kit - developed in Algeria with Arabic tutorials but itself in English - makes it far harder to shut down than normal phishing scams, says Imperva.

In traditional schemes when you take down a server you affect not only the Web page but also the back end data collection capability. In the cloud version, data collection is hosted separately from the sites which means hackers only need to repost the front end in a new location to be back in business.

Microsoft's fake bank shows just how gullible the public is

Microsoft has set up a fake bank branch in New York and tricked members of the public into handing over huge amounts of personal information.

The tech giant built its “Greater Offshore Bank & Trust” branch in a bid to demonstrate how vulnerable people are to scams and promote their Internet Explorer 8, which it says blocks three million online threats a day.

In two videos posted on YouTube, actors playing bank staff members convince members of the public to reveal highly sensitive information in order to open accounts and receive $500.


Duped "customers" were willing to hand over their mothers' maiden names, social security numbers, credit card numbers, strands of hair for DNA tests and details on whether they wear boxers or briefs.

Text-to-phone phishing attacks show enormous drop in the first quarter

According to the latest report from Internet Identity security company (IID), text-to-phone phishing attacks decreased considerably in the first quarter of the current year. Thus, these attacks have dropped by 62% from the previous quarter.

Nevertheless, credit unions appeared to be the most targeted by text-to-phone phishing attacks, with great amount of them being spoofed in text-to-phone cases. In these attacks, cyber criminals impersonate companies by text message and try to get people to call a fake interactive voice response (IVR) system designed to steal account information.

Meanwhile, the research found that cyber criminals increasingly posed as relief organizations to launch phishing attacks, claiming to help victims of recent disasters, like the earthquakes in Haiti and Chile.

Besides, increasing volume of phishing was used to carry out Internet Domain Name System hijackings, specifically with China's biggest search engine Baidu.com.

Importantly, the major share of phishing volume moved to targeting money transfer sites.