FRAMINGHAM (09/16/2003) - Within the past week, customers of Britain's Barclays Bank and two Canadian banks have been the victims of cybercriminals who tricked them into revealing their personal account information.
In the U.K., Barclays Bank PLC warned customers on Saturday of an e-mail scam designed to get them to reveal confidential financial information. And in Canada, customers of BMO Bank of Montreal and Toronto-based Mouvement des Caisse Desjardins were hit with a variation of the same e-mail scam.
According to Barclays, fraudsters sent an e-mail message purporting to be from the bank with link to what appeared to be the bank's Web site. It was, in fact, a spoof site.
Customers were then prompted to enter personal information such as passwords and personal identification numbers, which could be used to withdraw cash or transfer funds to other accounts.
Barclays said that about 400 people contacted the bank to say they had received the e-mail, which was sent to Barclays customers and to noncustomers. Of that number, eight said that they had given out personal details and their accounts had been locked. Barclays pledged to cover any losses caused by the scam and said it was successful in closing down the spoof Web site.
Britain's National Hi-Tech Unit, which tackles cybercrime, was called in to investigate the scam.
Meanwhile, spokesmen for the two Canadian banks said Tuesday that hackers sent out mass e-mails hoping to target legitimate bank customers. The e-mails told consumers to click on a URL that would take them to the banks' Web sites -- where they could enter to win US$500.
However, those links actually took viewers to a cloned Web site, where they were asked to enter bank account numbers and passwords.
BMO spokesman Ian Blair and Desjardins spokesman Andre Chapleau said those e-mails also contained a Trojan horse, which was activated when consumers clicked on the link. It enabled the hackers to take control of users' computers and steal information.
BMO, which learned of the scam from customers, contacted the Internet service provider hosting the spoof site, which immediately shut it down, Blair said. However, that didn't deter the hackers.
"Shortly after [the spoofed site was shut down], the hackers sent out another e-mail to customers saying the hackers had been caught but in the process their personal information might have been deleted, and asked them to resubmit their information," he said.
Royal Canadian Mounted Police are now investigating the hoax, Blair said, noting that BMO has already changed the passwords and other personal information of the 100 or so customers taken in by the scam.
As for the Mouvement des Caisse Desjardins, Chapleau said his organization tracked down an ISP in Pennsylvania and had it close down the other spoofed site. He said the hosting company tracked the cybercriminals to Russia.