"Most devious" bank email phishing scam discovered

The latest email fraud scheme targeted at Australian bank customers has been described as the most "devious" ever encountered.

The email, distributed en-masse to Westpac bank customers, represents the latest example of "phishing scams," designed to catch the unwary and fool them into divulging their online banking security details.

Typically, phishing scam emails appear to have been sent from the victim's bank, and contain a link to a fake version of the bank's website and instructions to log on to the site to verify their credentials with the bank.

Rob Forsyth, managing director at antivirus vendor Sophos, believes that the techniques used by online confidence tricksters in the latest Westpac email indicate the scheme is reaching new heights of sophistication.

According to Sophos the scammers have become better impostors, incorporating phrasing and wording into the email that the bank's customers would be familiar with from previous authentic advisories it had issued such as: "Westpac will never ask for your personal or login details by email" - even though it then proceeds to direct the reader to do just that.

The architects of the latest scam also adopted a more insidious web re-direction technique to bamboozle victims than Sophos had ever seen before. Activating the link in the email directs the victim to a fake version of the site but also opens an authentic copy of the site in a second browser window behind it.

The fake version of the site asks for the victim's account access details but returns an error message if he or she attempts to use it. The victim is then sent to the real site unaware that they've been duped.

Forsyth fears that the practice of phishing is at risk of being trivialised in the public's mind. He said that the malicious nature of the crime should be acknowledged.

"I think this is not just a scam like the Nigerian scam - this is actually direct fraud and the perpetrators of the crime should be dealt with severely," said Forsyth.

Andreas Baumhof, chief technical officer, Microdasys, a German-based internet security company specialising in Secure Socket Layer (SSL) technologies used to protect commercial web transactions, is also concerned for the well being of online banking customers.

He said that advice given to the public is often wrong, pointing to a recent high profile case of phishing in the US involving ISP Earthlink.

Shortly before the scam the US Federal Trade Commission advised the public to look for an icon depicting a lock in the window of their browsers when conducted sensitive transactions. The lock icon is associated with SSL web security technology which involves encryption and security certificates. The FTC's issued blanket advice that such communications were definitively "safe".

Baumhof said the advice was wrong and may actually have contributed to the Earthlink incident. In that case the scam's designers used encrypted SSL conections to direct users to their site but fraudulent certificates to persuade victims they were in the right place. Baumhof reasons that the FTC's advice gave the victims a false sense of security.

"You can only see that the session is encrypted but you can't tell who you're talking to unless you've verified the certificate," said Baumhof.

Meanwhile Sophos said it had conveyed its concerns to the Australian High Tech Crime Centre.

Andrew Colley writes for ZDNet Australia. For more news from ZDNet Australia click here