Fake Security Alerts Try to Grab User IDs and Passwords
The good news is that bank customers are becoming more suspicious of security threats from unsolicited e-mails supposedly from their bank asking for sensitive information. The bad news is that the bad guys are using this suspiciousness to their advantage. They do this by sending well-crafted fake “security warnings” intended to induce their victims to try to log on to their online banking accounts.
Trusteer Inc., an online security company in New York, described how this works. First, the phisher simply copies the login page of a given bank’s online site. A fraudulent Web site then is created, often with a URL that is similar to the one used by the legitimate bank.
The hardest part for the phisher is to obtain names and addresses of bank customers. That’s done a variety of ways -- through bank insiders, social engineering or simply looking at people’s mail in their mailboxes. Once obtained, it’s a simple task to send ominous-sounding e-mails that say things to the effect that “Your account has been locked. To unlock, log in to your account.” This is followed by a hyperlink that instead goes straight to the criminals.
A more sophisticated attack can occur when the customer is logged onto his or her legitimate online banking account. First, the phisher accesses one of millions of Web sites known to be compromised by criminals. (The owners of these Web sites may have no idea that they’ve been compromised.) The hacker injects code into the Web site that searches for online banking Web sites that visitors are currently logged onto. Once located, the hacker can send a convincing-looking pop-up notice to retype the username and password.
Key precautions against such attacks include:
• Deploy Web browser security tools.
• Always log out of banking and other sensitive online applications and accounts before navigating to other Web sites.
• Be extremely suspicious of pop-ups that appear in a Web session if you have not clicked a hyperlink.