Various social engineering techniques used to trick customers

Jun 2, 2009 12:08 GMT  ·  By

Security researchers from antivirus vendor Sophos have reported three different phishing campaigns targeting the customers of the Commonwealth Bank of Australia in only one week. The attacks employ different social engineering tricks to convince people to reveal their banking and personal details.

The first phishing campaign was reported on May 25 and was based on a classic "a banking error" claim. "Dear Commonwealth Bank of Australia customer, During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information," the associated e-mails read. The potential victim is then instructed to update their information by following a link to a fake page bearing Commonwealth Bank branding elements.

Other variations of this attack use messages like "Your Online banking account has been locked. To Login, please click the link below" or "Accounts status notification. Log on to view this message." Prashant Kumar, malware analyst at Sophos, advises to "be very careful and aware of where you send your personal information and do read up on your financial institution’s policy on personal banking."

A second campaign, reported on May 31 takes an entire different spin and uses an "earn some easy money" trick. "You have been chosen by the online department to take part in our quick and easy 5 question survey. In return we will credit $50 to your account – Just for your time," the phishing e-mails claim.

The included link points to a page that at first glance looks legit. However, at the end of the survey, the users are asked for their personal and credit card information including "KeyCard PIN," allegedly required in order to receive the $50 reward. This should ring alarm bells, as the bank does not need the credit card PIN in order to send money into an account and in general there is no circumstance in which a bank will ask their customers for their credit card PIN.

The third and most intriguing attack is actually a form of vishing, phishing performed over the phone. The lure is also a promise of free money made via an e-mail. "Congratulations! Your Cashback Bonus in amount of $500 is ready to be redeemed! Simply call us at +61-7####-### [# stands for a single digit], 24/7 to redeem," the messages claim.

The phone number is actually a valid number in Australia, which serves an automated response to the callers. The interactive response system asks customers to input their credit card number, expiration date and PIN number. All of these would be enough to clone the card and withdraw money from the accounts of the victims.

The similarities between these targeted attacks and at the same time the wide variety of tricks used, culminating with the vishing scheme, suggest that they might be the work of more than a single phisher. The level of complexity points to a fairly organized gang with significant resources.

Photo Gallery (5 Images)

Commonwealth Bank of Australia targeted by phishers
Fake Commonwealth Bank Web page used in phishing attacksCommonwealth Bank phishing e-mail message
+2more