Date: 30th November 2003
Risk: Informational

Users of NatWest online banking services were targeted on Friday (24th October 2003) by an email scam attempting to capture bank details in order to remove money from user accounts. The scam was delivered through fraudulent emails to a list of users requesting them to click a link, verify their banking details on a replicated site. The link transferred users to a page that appeared to be the NatWest banking site and asked users to provide the security information they use to log on. A similar incident with eBay last year demonstrates that all online transactional sites are at risk.

NTA Warns online banking sites to Educate users against Fraud and Test their Security following Smile and Barclays Scams 8 October 2003

Following the recent scams on Smile and Barclays online banking sites, NTA is warning eCommerce sites to test their security and educate users against fraud.

Kevin Foster, Strategy Manager, NTA Monitor, comments, "Although the scam emails would appear suspicious to the security conscious user, a vast number would think it genuine. Victims of fraud are usually embarrassed about being duped, and keep quiet, so we're unlikely to know the true extent of these attacks. We are encouraged to see that some banks have made warnings available on their web sites, however we're surprised that despite these attacks, a number of UK banks are still not taking direct preventative action to advise customers of the risks these scams pose.

"The question is - will other eCommerce sites [not yet hit targeted by this scam] take the opportunity to give good advice to their customers before it's too late? Especially given that security concerns are a huge barrier to user uptake, responsible eCommerce sites should be taking more care to protect Internet users - both to protect their customers' sensitive records, and reduce the numbers duped by these kinds of scams."

It's really just a question of taking some sensible steps:

1. Firstly, all eCommerce web sites should educate their users about Internet security and online fraud. Banks' advice to their users after the event never to give out credit card details really was a case of locking the door after the horse has bolted! Direct preventative action needs to be taken by all eCommerce sites to advise new users. We would advise that a general warning on Internet safety precautions should be included as a matter of course on all web sites. Education should be done during registration at minimum, but also permanently linked on the homepage, thus enabling users to make informed decisions.
2. Regular domain name searching and verification will pick-up similar /registered domains, allowing the site to investigate suspicious registrations and take pro-active action before users are duped by fraudulent websites.
3. Engage regular eCommerce application security testing to pro-actively pick-up potential (user) information disclosure vulnerabilities, enabling the site to remove holes before they're exploited. In our experience few sites test their eCommerce presence regularly, leaving the majority susceptible to these kinds of attack.

"Above all, pro-active action should be taken 'regularly'. I'd draw a comparison with how we look after our cars. We know that if we service our car regularly, we reduce the risk of having unexpected and costly problems. Imagine how many people are going to be freezing in the cold this winter when a planned service could have prevented it. Similarly, planned regular security testing will help eCommerce sites nip problems in the bud - and not leave their customers out in the cold!"

ADVICE TO USERS:

• * Do not send any sensitive information: including account number, password in response to e-mails which appear to be from the bank - Banks will not ask their customers to enter, re-confirm or change their security details, including passwords via e-mail - so suspect any such email as fraudulent!
• * Don't take emails purporting to come from your online bank at face value - it's very easy to replicate the Banks imagery and branding in an html email to look genuine.
• * Check that the links in any email purporting to come from the Bank do point to the link they claim to. i.e. Hover the mouse over the link, and check the URL it points to is the same as that in the email.
• * Don't advertise which online bank you think is great in chat rooms or news groups - as this will reveal your email address as particular bank's customer, enabling a targeted attack.
• * Check the email address headers to ensure that the email has actually come from a mail server using your Bank's main Internet domain name in the "received: from" lines. Most of these scams only change the sender: and reply to: addresses.
• * Contact the bank to let them know of the attempted fraud - many offer a helpline number. Early detection will enable the bank to take action to remove the sites that the fake emails point to, preventing others from becoming victim of this fraud. Don't just think that someone else will have let them know.
• * Keep the fraudulent email until you receive confirmation that the Bank are aware of this specific case of fraud - information in the email and headers could be used to track down the offending sites and pull the plug on them.

About the Smile and Barclays scams

Users of Smile and Barclays have recently been subjected to an email scam attempting to capture bank details and remove money from user accounts. The scam was delivered through fraudulent emails to a list of users requesting them to click a link, and enter credit card and password information into replicated sites. The emails claimed that the banks had made a technical update and recommended reactivating the user accounts by clicking on a link. The link transferred users to a page that appears to be the login page of their Internet bank and asked users to provide the security information they use to logon.

Site disclaimer | Privacy Policy | Terms and Conditions |        Tel: +44 1634 721 855 | email: marketing@nta-monitor.com © NTA Monitor Ltd. 2009