At least 200 Westpac customers were tricked yesterday into giving up their online banking passwords, and the bank expects more victims of the international email scam to emerge. Many New Zealanders found the message waiting in their email inboxes yesterday morning. The email pretends to be from Westpac, saying the bank wants to check email addresses are valid and asking customers to confirm their address by providing their banking ID and password at the Westpac website. The email includes a link that appears to point at Westpac’s website, but actually directs browsers to a website in Russia. Westpac spokesman Paul Gregory says the bank hasn’t yet found any suspicious transactions, but will have a better idea today when the transactions summary is available. “Obviously we’ll be taking a pretty close look at their accounts over the next few days. Gregory urges Westpac customers who provided their login details to the bogus website to change their password as soon as possible, contact the bank, and keep a close eye on their online accounts. “All we can do it let people know it’s around. We would never, ever send out an email of that sort.” Because online money transfers to overseas accounts need to be specially set up, the bank will examine overseas transfers carefully, Gregory says. The scam involves websites in Naaru and Russia, he says, so he’s doubtful that the fraudsters have set up accounts in New Zealand. Many recipients of the email are not Westpac customers. The hoaxers apparently used one of the lists of email addresses available for purchase on the internet, and sent the messages indiscriminately to New Zealand email users. Craig Whitmore, a systems administrator at Orcon Internet, says the ISP’s mail logs show it had received about 100,000 copies of the scam email in a day. “It really is a massive trawling exercise,” commented Westpac’s Gregory. Although some were fooled by the bogus messages, others were alerted by flaws in the emails. The emails pretended to link to the westpac.com.nz domain, which is invalid — the correct address is westpac.co.nz — and did not convince some recipients. “There wasn’t a great deal of sophistication in the emails themselves,” says Gregory. Many of the emails never reached the recipients. Orcon’s mail servers rejected the messages because the sender address used the invalid westpac.com.nz domain, Whitmore says. “Most mail servers should actually block it,” he says. The bank posted a note on its banking login page yesterday, warning customers about the scam, and was planning to contact online customers directly. The police e-crime unit is investigating.
|Spotting phoney internet links Internet links usually contain only the server name and sometimes page location: web.server.co.nz/location/page.html Sometimes, links can also contain username and password information: user:email@example.com/location/page.html If the server doesn’t require authentication, it will ignore the username and password. Scam artists put the expected server name in the username field, and build links that actually point at a completely different server. mysite.co.nz:firstname.lastname@example.org/location/page.html To disguise it further, fraudsters will cloak the real server name with other characters, as the Westpac hoaxers did: www.westpac.com.nz:ac-KWAhgJPKfv6PtK6u4LAc@ik3bcj0tu.Da.rU/?IEgaU0MmaGMVCnd Although that link appears to point at www.westpac.com.nz — actually an invalid address — it will instead direct browsers to the server ik3bcj0tu.da.ru, located after the @ symbol.|