Indian Banks Continue to be Fraudsters’ Favorites

Since the last week of August 2010, Symantec has been observing a massive phishing attack on a popular Indian bank. To date, we have recorded over one thousand phishing URLs that have spoofed the bank’s website. This has increased the total count of phishing attacks on Indian brands from the previous month by a whopping 192 per cent.

In this case, users who clicked the phishing URLs are prompted to verify their accounts to continue access of online services. Fraudsters typically use this strategy in an attempt to con users into giving away their confidential information. The fake verification asks for the user’s ID with password, transaction password, ATM/Debit card number, and mobile number.

After the sensitive information is entered and the “Verify” button clicked, the user is automatically redirected to the page shown below. Here, the user is asked to enter their ATM or debit card number, which the page claims is an attempt to provide a “safe and secure” environment.

After the required digits are entered and the “OK” button is clicked, the page redirects to an acknowledgement page. Ironically, here, the customer receives a message that the bank is constantly striving towards providing more security to online services. This message was provided by the fraudster in order to convince customers that the process is authentic. However, the fact remains that if customers fell victim to the phishing site, the fraudsters would have successfully stolen their information for financial gain.

The phishing site was hosted on a particular set of IP addresses (An IP looks like http://255.255.255.255) which were located on servers based in London and Houston.

By registering many domain names pointing to these IP addresses, the attacker generated a large number of URLs for the same phishing website. This was achieved by just changing the domain name for each URL.

This process of generating many phishing URLs is, in most cases, carried out automatically with the help of phishing toolkits. These toolkits are typically easy to use, even for cybercriminals with low technical capabilities.

Some common patterns observed in these URLs is as shown below:

www.*****.com/~cliffwol/banking [Domain name removed]

www.*****.co.uk/~james6/alerts [Domain name removed]

www.*****.net/~richard1/ [Domain name removed]

It’s interesting to note that common names like Richard and James were used as part of the URL. In this phishing attack, the most utilized Top Level Domains (TLDs) were .com, .net, and .org. Among country code Top Level Domains (ccTLDs), the United Kingdom, Australia, and Romania were the most common.

Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:

•    Do not click on suspicious links in email messages.

•    Check the URL of the website and make sure that it belongs to the brand.

•    Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link.

•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

Thank you to the co-author of this blog, Rohan Shah.