Over the last few weeks I have been getting emails “from” Standard Bank on a regular basis, probably one or two a week. Today I received two more. I am not a Standard Bank customer, so it is immediately obvious that they must be fake. Perhaps a little less so for those who bank with Standard Bank? Both of these mails look a little different, originate from different email addresses, and have slightly different profiles. Standard Bank (or someone) is on the ball (thankfully) as when I tried to follow up on the mails to see how the attacks were working both had been blacklisted with Firefox/Mozilla as phishing sites, and the offending pages had also been removed. There was one a few weeks back that had not yet been blocked at the time I tried to access it, so I have a little more info on that attack, which I will post as an update when I get a chance (probably on only the weekend).

In the meantime, here are some screenshots of the mails for those that might be interested. Perhaps most of you received the same mails 🙂

Exhibit A : This mail supposedly comes from ibsupport@standardbank.co.za. A legitimate looking email address (clearly spoofed). The graphics present in the email are loaded from the Standard Bank (legitimate) website so anyone watching what is loaded when the mail is displayed may get the sense this is from Standard Bank. (This is different to the example below). Doing a “mouse over” on the link shows redirecting to www.juniorblind.org. Go directly to the site and it appears to be an innocent victim site of the scam (hacked and used to host the scam).

Exhibit B : This mail supposedly comes from standardbank@net-upgrades.co.za.  Who? Even the email address looks a bit strange. A quick whois at http://co.za shows that nobody owns this address. Again a spoofed mail. The graphics in the email are hosted by another site (http://harestuail.no/logo.gif). Doing a “mouse over” on the link in the mail shows that it is redirecting to the site www.ct-network.net. Again go to this site and it appears to be a legitimate victim.

Each of these “victim” sites is hosting the attackers pages.  When you visit the site, without the full path of the “attack page, you get to what appears to be a perfectly normal page (See below).

Junior blind (Exhibit A) all ties up, has what appears to be valid contact details etc. Lakeside Residential (Exhibit B) sits on the ct-network.net page, has incomplete contact details and may well be some kind of demo site. Clearly none of these has anything to do with Standard Bank.

When clicking through on the links on the email (for research purpose, don’t blindly do this from your own computer unless you are properly protected), in this case, Firefox picks up the site as being a phishing site / web forgery and displays the following message :

The same message appears for each of the two pages. In the bottom right is an “Ignore this warning” button which then links through to the pages concerned. As mentioned earlier both of the pages have been removed from the hosting sites, returning  just a 404 page not found error now.

It seemed strange to me that two different mails appeared on the same day, too obvious if you are a phisher. Looking at the pages, the messages, the “branding” of the messages etc it would appear that two different phishers are after Standard Bank today.

Conclusion

These attacks were both fairly basic and easily detectable. There are far more sophisticated attacks out there, but the more aware we are of each attack the more alert we become. Keep spreading the word around phishing attacks to all of those around you. There are lots of tell tale signs to look for, and lots of ways the phishers get around those. My golden rules are fairly simple. Never trust emails from your bank, if it looks legit and your are tempted to act on it, phone the bank, on a number you already have (not from the email). Be careful which computer you use to do your banking, and make sure your banking has SMS (or some other 2 factor) authentication system, as well as a notification system (again SMS is good) so that you know what is happening in your account. Goodluck.

Update

Mybroadband had an article today entitled “Big 3 Phishing Tips : Keep yourself safe”. Some very basic tips in there, but read them if you want some more insight. They also quote a statistic from SABRIC. “In February 2010 The South African Banking Risk Information Centre (SABRIC) announced that the number of phishing web sites shut down by banks had more than trebled over the space of only three months. The announcement offers statistical validation that phishing attacks still keep on growing – in volume and sophistication.” Find the full article here

Second Update

Standard bank sent out a tweet today (25 August 2010)

“Hi guys, we’ve noticed a HUGE increase in the number of phishing mails. Pls send them to phishing@standardBank.co.za for investigation” @StandardBankGrp

Tags: Attacks, ct-network.org, email, harestuail.no, juniorblind.org, net-upgrades.co.za, online banking, phishing, Standard Bank

Categories: Privacy, Research, Security

---

3 Responses

1. 

   ALESSANDRO:

   HI THERE!

   I RECEIVED THE FOLLOWING E-MAIL THIS MORNING ,BUT APPARENTLY MY OTHER COLLEGUES ALSO RECEIVED THE SAME E-MAIL,SI I AM CONVINCED THIS IS A SCAM.

   Dear Taxpayer ,

   After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of 3,682.50 ZAR. Please submit the tax refund request and allow us 2-3 days in order to process it.

   A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline. To access the form for your tax refund, please
   Click here : http://www.sars.gov.za/taxpayers/refundation.stml

   Note: For security reasons, we will record your ip-address, the date and time. Deliberate wrong inputs are criminally pursued and indicated.
   Thank You
   South African Revenue Service

   Oupa G. Magashula
   Commissioner

   16.05.2011 14:50 Reply

   • 

     Justin:

     Sorry Alessandro, this is indeed a scam, and an old one at that. Read more here (from 2009 nogal) : IT Web article

     16.05.2011 19:32 Reply

2. 

   TeleSign Matt:

   Great timely and relevant post about the inherent risks and dangers associated with phishing scams. Your article underscores the need for better 2 factor authentication solutions which are are being widely deployed in the financial and eCommerce industries. I’ve been working with a company called TeleSign who has been pioneering advancements in 2 factor technology. Feel free to check them out at http://www.telesign.com/.

   Respectfully,

   TeleSign Matt

   14.09.2010 20:40 Reply