In recent months Australian banks publicly acknowledged for the first time they were targets of Internet fraudsters — during March and April, which marks a turning point for Internet banking fraud.
In the preceding months, fraudsters faked the Web sites of three of the big four banks and tricked customers into divulging their user details and passwords. One person was arrested for using Commonwealth Bank customer details to steal funds.
It doesn’t take much expertise to set up a fake Web site and lure the bank’s customers. I ran a series of workshops for lawyers on computer-based evidence. The only technical prerequisite is that the lawyer can use the Internet to perform basic legal research and can use generic office applications — most have trouble even doing that. Each workshop concludes with a lab in which half the students perform a cybercrime and the other half try and track them down. All “crimes” are performed in a closed laboratory and the participants are consenting victims.
With only basic Internet skills, one particular group decided to mimic the fraudsters they had just finished reading about. They created a domain westpak.com with secure (SSL) Web server olb.westpak.com. They then accessed Westpac’s Internet banking site, and using Internet Explorer, they saved a copy of the page and copied it to a Web server. This is the page that invites customers to enter their customer number and password. They also copied the “bad password” page that came up when they entered the wrong details.
They then spent two hours surfing the Net finding out how to copy the customer’s logon and password when it was entered. They also crafted a convincing e-mail inviting users to log on to Westpac’s Web site via the embedded link for a chance to win a new car — customers are automatically entered each time they log on.
The e-mail was sent to their peers and, by chance, more than half were that bank’s customers who clicked on the link and entered their user details.
In less than a day, the lawyers were turned into successful cybercriminals.
Not satisfied with duping their peers, the lawyers decided to take the scam a little further. They used search bots to find e-mails containing the keyword “westpac.com.au”. The assumption was that the sender/receiver was one of Westpac’s Internet Banking customers — a reasonably valid conclusion. They stopped collecting e-mails when they had 10,000 distinct e-mail addresses.
No longer satisfied with one bank, they decided to do the same (in the laboratory) for ANZ (the laboratory site was amz.com), Commonwealth (connbank.com), NAB, and St George. In a week, the Internet for learners’ lawyers had scammed 50,000 bank customers collecting their logon details.
What’s really interesting about this story is that the banks are only just acknowledging that they are worried about fake Web sites.
But why only now? Domain names close to that of the banks have been registered for many years. For example, the Web site used in the Westpac fake Web site scam was www.westpac-bank.com a name that was registered in 1999 as was www.anz-bank.com, www.comm-bank.com and www.nab-bank.com. A quick search of domain registrars reveals at least 30 domains that could readily be confused with each of the big four.
The problem is there is no easy way customers can check if the Web site they are using is really the bank’s Web site. The advice [banks] give is to check the digital certificate and only use the site if the details check out. This is analogous to a bank asking customers to check the address of a building to see if it’s really the bank before they go in — if it’s got bank signage and bank tellers, it’s probably a bank...and that is what most customers also think online.
With the scams that have been recently publicised, the crooks randomly spammed people hoping they were customers of the targeted bank. Given the popularity of Internet banking — especially among those with an e-mail address — it was a good bet that at least some would be. In fact an analysis of several thousand e-mails involved in one fake bank case showed that roughly one-quarter of the recipients were in fact addressed to a customer.
But cunning cybercriminals don’t have to risk customers not picking the difference between the fake name and the real name. At a recent IT security conference one bank’s information security manager made bold claims that “we haven’t had a misdemeanour performed on our site”. The IT manager seems to have forgotten about a Web site that looked very much like that of the bank. In that particular case, the perpetrator(s) set up a fake Web site in Korea. They then manipulated the DNS server so that ISP customers typing in the real URL were redirected to the fake Web site.
I Tanon is (not the real name of) an IT manager who reports firsthand on security incidents from the trenches