8/8/2019 Phishing Attacks on Indian Banks on the Rise

1/6

Phishing Attacks on Indian Banks on the Rise

Mathew Maniyara

05 Aug 2010July 2010 was the month for phishing attacks on Indian banks. A three percent increase in

phishing attacks on Indian banks from the previous month has been observed. In particular,

Symantec has observed phishing websites that spoofed the Oriental Bank of Commerce

several phishing URLs spoofing the bank were reported in the month of July. In fact, the bank

was one of most targeted Indian banking brands during the month.

The phishing site that spoofed the login page of the bank asks for confidential information,

such as the customers e-mail ID and transaction password. The fraudsters motive of stealing

the login credentials was financial gain. A free webhosting site hosted the phish site. It is quite

evident that fraudsters are targeting Internet banking users by increasingly creating more

phishing sites and spoofing as many popular Indian brands as possible.

Online banking users are advised to follow best practices to avoid phishing attacks. Here are

some basic tips for avoiding online scams:

Do not click on suspicious links in email messages.

Check the URL of the website and make sure that it belongs to the brand.

http://www.symantec.com/connect/user/mathew-maniyarahttp://www.symantec.com/connect/user/mathew-maniyara

8/8/2019 Phishing Attacks on Indian Banks on the Rise

2/6

Type the domain name of your brands website directly into your browsers address bar

rather than following any link.

Frequently update your security software, such as Norton Internet Security 2010, which

protects you from online phishing.

-------------------

WHAT IS PHISHING?

A phishing scam is when someone fraudulently and illegally imitates a trustworthy source to stealusernames, passwords, credit cards info, etc.

It can not only occur through e-mail, but also through wall posts, facebook messages, and Facebookchat.

HOW TO RECOVER

If you think you have had your account compromised, immediately change your Facebook passwordat https://www.facebook.com/editaccou

Reformed UK fraud law to tackle phishing attacks Alert

Print Retweet Facebook

10 years for phishermen

By John Leyden Get more from this author

Posted in Spam , 27th May 2005 15:36 GMT

Free whitepaper Trying to keep smartphones off your network?

The UK government is reforming fraud laws to create an offence covering the perpetrators of phishing attacks. The provision is among a raft of measures designed to clarify existing lawswithin the new Fraud Bill, which was introduced in the House of Lords on Wednesday.

A new offence of fraud, designed to strengthen the existing law and ease the prosecution

process, is the main feature of the bill. The offence can be committed in one of three ways:false representation (as seen in phishing attacks); abuse of position (e.g. a person liftingmoney from the account of an elderly person under their care) and failing to discloseinformation (e.g. a lawyer who schemes to keep information from his client so he can makemoney on the side).

https://www.facebook.com/editaccouhttps://www.facebook.com/editaccouhttp://www.theregister.co.uk/2005/05/27/fraud_law_reform/alert.htmlhttp://www.theregister.co.uk/2005/05/27/fraud_law_reform/print.htmlhttp://twitter.com/home/?status=Reformed%20UK%20fraud%20law%20to%20tackle%20phishing%20attacks+http://reg.cx/1n4qhttp://www.facebook.com/share.php?u=http://reg.cx/1n4qhttp://forms.theregister.co.uk/mail_author/?story_url=/2005/05/27/fraud_law_reform/http://search.theregister.co.uk/?author=John%20Leydenhttp://search.theregister.co.uk/?author=John%20Leydenhttp://www.theregister.co.uk/security/spam/http://www.theregister.co.uk/security/spam/http://www.theregister.co.uk/2005/05/27/http://go.theregister.com/tl/416/-1709/-?td=wptl416https://www.facebook.com/editaccouhttp://www.theregister.co.uk/2005/05/27/fraud_law_reform/alert.htmlhttp://www.theregister.co.uk/2005/05/27/fraud_law_reform/print.htmlhttp://twitter.com/home/?status=Reformed%20UK%20fraud%20law%20to%20tackle%20phishing%20attacks+http://reg.cx/1n4qhttp://www.facebook.com/share.php?u=http://reg.cx/1n4qhttp://forms.theregister.co.uk/mail_author/?story_url=/2005/05/27/fraud_law_reform/http://search.theregister.co.uk/?author=John%20Leydenhttp://www.theregister.co.uk/security/spam/http://www.theregister.co.uk/2005/05/27/http://go.theregister.com/tl/416/-1709/-?td=wptl416

8/8/2019 Phishing Attacks on Indian Banks on the Rise

3/6

Judges will be able to impose sentences of up to 10 years for any of these three offences.

This means fraudsters who pose as financial institutions in the commission of phishingattacks, a form of false representation, could become the subject of extradition proceedings.

The Bill will also introduce the new offences for obtaining services dishonestly (a crime thatcovers making fraudulent credit card transactions on the net, for example) and of participating in fraudulent business. It will also become an offence to possess, manufactureor supply equipment, such as a computer programme that can generate genuine credit cardnumbers, which facilitates fraud.

The Bill is designed to clarify the current law. Home Office Minister Fiona MacTaggart said:"The introduction of a general fraud offence will improve the criminal law in a number of respects. It will simplify the law, making it clearer to juries and the general public as well asmaking the prosecution process more effective by providing a clear definition of fraud. Our aim is to encompass all forms of fraudulent conduct, with a law that is flexible enough to dealwith developing technology, allowing us to bring more offenders to justice."

Related stories

ctiveSecure: Unparalleled protection for the extended enterprise As more and more business operations move online, the resulting web of transactions withcustomers, partners, vendors and providers no longer takes place outside the organization. It isthe organization. This interconnected ecosystem is known as the extended enterprise, andprotecting it is more important than ever. Because the biggest security risk is not inside thecompanys walls its out there.The best solution is a killer defense. IIDs ActiveSecure is the only suite of business criticalsolutions that can secure and protect the integrity of a companys Internet presence, detecting,

http://www.internetidentity.com/component/mailto/?tmpl=component&link=aHR0cDovL3d3dy5pbnRlcm5ldGlkZW50aXR5LmNvbS9jb21wb25lbnQvY29udGVudC9hcnRpY2xlLzEtbGF0ZXN0LW5ld3MvNTEtdW5wYXJhbGxlbGVkLXByb3RlY3Rpb24tZm9yLXRoZS1leHRlbmRlZC1lbnRlcnByaXNlLWZyb20taWlkhttp://www.internetidentity.com/component/content/article/1-latest-news/51-unparalleled-protection-for-the-extended-enterprise-from-iid?tmpl=component&print=1&page=http://www.internetidentity.com/component/content/article/1-latest-news/51-unparalleled-protection-for-the-extended-enterprise-from-iid?format=pdfhttp://ad.uk.doubleclick.net/click%3Bh%3Dv8/3a2f/3/0/%2A/v%3B207832119%3B0-0%3B0%3B13500658%3B4252-336/280%3B28370710/28388589/1%3B%3B~sscs%3D%3Fhttp:/account.theregister.co.uk/register/?product=theregister_newsletter

8/8/2019 Phishing Attacks on Indian Banks on the Rise

4/6

diagnosing and mitigating problems with brand abuse and data loss. Its also the first securitysolution that provides holistic protection for the entire extended enterprise against this array of Internet threats, including phishing, malware attacks and Domain Name System (DNS) hijacking.IID is the only provider of technology and services necessary to actively secure this Internetpresence for an organization and its extended enterprise.The company protects the integrity of todays leading financial service, e-commerce, socialnetworking, ISP and other companies against a broad array of threats, from malware andphishing to the latest domain hijacking exploits.The same Internet that enables immediate, global communications and transactions also enablesa vast global array of malicious crimes and threats. Since cyber criminals stand to gaintremendous value stealing from and posing as these organizations, companies need anactive defense. But securing an organization without monitoring the partners, vendors, customersand other key players in an extended enterprise creates a gaping security hole. One that hackersare only too willing to exploit.

ActiveSecure provides continual fortification for the extended enterprise, from securingtransactions, messages and data, to exerting control over publication and distribution of maliciouscontent, by:

Protecting transactions with customers, partners and vendors Actively verifying trusted digital channels Detecting and mitigating vulnerabilities exposed through enterprise ecosystems

IID offers the only way to get ActiveSecure protection for your extended enterprise. In fifteenminutes, we can give you the answers and information you need to bring the power of ActiveSecure to your company. Call now.

MPORTANT SECURITY TIPS FOR SAFE ONLINE BANKING

1. Access your bank website only by typing the URL in the address bar of your browser.2. Do not click on any links in any e-mail message to access the site.3. State Bank never sends e-mail and embedded links asking you to update or verify

personal, confidential and security details. NEVER RESPOND to such e-mails/phonecalls/SMS if you receive.

4. Do not be lured if you receive an e-mail/SMS/phone call promising reward for providingyour personal information or for updating your account details in the bank site.

5. Having the following will improve your internet security:a. Newer version of Operating System with latest security patches.b. Latest version of Browsers (IE 7.0 and above , Mozilla Firefox 3.1 and above,

Opera 9.5 and above, Safari 3.5 and above, Google chrome,etc.)c. Firewall is enabled.d. Antivirus signatures applied

6. Scan your computer regularly with Antivirus to ensure that the system is Virus/Trojanfree.

7. Change your Internet Banking password at periodical intervals.

8/8/2019 Phishing Attacks on Indian Banks on the Rise

5/6

8. Always check the last log-in date and time in the post login page.9. Avoid accessing Internet banking accounts from cyber cafes or shared PCs.

Now OnlineSBI is EV-SSL certified

What is Extended Validation SSL?

Extended Validation SSL Certificates give high-security web browser information toclearly identify a website's organizational identity. For example, if you use MicrosoftInternet Explorer 7 to visit a website secured with an SSL Certificate that meets theExtended Validation Standard, IE7 will cause the URL address bar to turn green. Adisplay next to the green bar will toggle between the organization name listed in thecertificate and the Certificate Authority (VeriSign, for example). Firefox 3 also supportsExtended Validation SSL. Other browsers are expected to offer Extended Validationvisibility in upcoming releases. Older browsers will display Extended Validation SSLCertificates with the same security symbols as in the existing SSL Certificates.

About Phishing (Potential Security Threats)'Phishing' is a common form of Internet piracy. It is deployed to steal users personal andconfidential information like bank account numbers, net banking passwords, credit card numbers,personal identity details etc. Later the perpetrators may use the information for siphoning moneyfrom the victim's account or run up bills on victim's credit cards. In the worst case one could alsobecome the victim of identity theft. A few customers of some other Indian banks have beenaffected by the attempt of phishing in early 2006.We would like you to be aware of methodologies in a 'Phishing' attack, do's and don'ts in sharingof personal information and the action to be taken in case you fall prey to a phishing attempt.Methodologies:

Phishing attacks use both social engineering and technical subterfuge to steal customers'personal identity data and financial account credentials.

Customer receives a fraudulent e-mail seemingly from a legitimate Internet address. The email invites the customer to click on a hyperlink provided in the mail. Click on the hyperlink directs the customer to a fake web site that looks similar to the

genuine site. Usually the email will either promise a reward on compliance or warn of an impending

penalty on a non compliance. Customer is asked to update his personal information, such as passwords and credit card

and bank account numbers etc. Customer provides personal details in good faith. Clicks on 'submit' button. He gets an error page. Customer falls prey to the phishing attempt.

Dont's:

1. Do not click on any link which has come through e-mail from an unexpected source. Itmay contain malicious code or could be an attempt to 'Phish'.

2. Do not provide any information on a page which might have come up as a pop-upwindow.

3. Never provide your password over the phone or in response to an unsolicited requestover e-mail.

8/8/2019 Phishing Attacks on Indian Banks on the Rise

6/6

4. Always remember that information like password, PIN, TIN, etc are strictly confidentialand are not known even to employees/service personnel of the Bank. You shouldtherefore, never divulge such information even if asked for.

Do's:

1. Always logon to a site by typing the proper URL in the address bar.2. Give your user id and password only at the authenticated login page.3. Before providing your user id and password please ensure that the URL of the login page

starts with the text https:// and is not http:// .The 's' stands for 'secured' and indicatesthat the Web page uses encryption.

4. Please also look for the lock sign ( ) at the right bottom of the browser and the verisigncertificate.

5. Provide your personal details over phone/Internet only if you have initiated a call or session and the counterpart has been duly authenticated by you.

6. Please remember that the bank would never ask you to verify your account informationthrough an e-mail.

What to do if you have accidentally revealed password/PIN/TIN etc:

1. If you feel that you have been phished or you have provided your personal information ata place you should not have, please carry out the following immediately as a damagemitigation measure.

o Change your password immediately.o Report to the bank by clicking on the link Report Phishingo Check your account statement and ensure that it is correct in every respect.o Report any erroneous entries to the bank.o Use the other compensatory controls provided by the bank like setting the limits

for demand draft and trusted third parties to zero, enabling high security, etc tominimize the risk.

mailto:report.phishing@sbi.co.inmailto:report.phishing@sbi.co.in