Subscribe
About

Standard nets phishing sites

By Iain Scott, ITWeb group consulting editor
Johannesburg, 09 Mar 2005

Standard Bank has shut down eight "phishing" Web sites in just four weeks.

Phishing is the practice of tricking consumers into revealing their online passwords and other information by luring them to fraudulent sites that appear to be those of banks or other legitimate businesses.

Consumers are usually lured by spam e-mails with subject lines like "account update needed".

Herman Singh, Standard Bank technology engineering director, says all eight sites were based offshore and were spoofs of the Standard Bank site, with bogus URLs like "standbank.com".

Standard Bank is using New York-based Cyota's FraudAction anti-phishing service, which includes various modules which detect incidents, analyse the severity of the attack and how to respond, shut down the spoof sites and contact Internet service providers (ISPs).

"We have been running a pilot for the last three months, and we are quite thrilled with it so far," Singh says.

"Google searches eight billion Web sites, but there are about 12 billion sites on the Internet. For us to search them all would be impossible."

However, Cyota, which has agreements with the ISP and international law enforcement communities, has helped the bank find and shut down eight sites so far.

Increase in frequency

He says that although Standard Bank has no record of any of its customers losing money in a phishing attack, the bank has been tracking the phenomenon globally and has noticed a rapid increase in the frequency.

While the problem has been more prevalent in countries like the US, Singh says it is finding its way to Africa too.

"As phishing becomes easier and enters the mainstream, the number of attacks is rising very quickly." He adds that "phishing" kits can be bought for $270 and there are sites that present tutorials on how to phish.

"As the international banks warn their customers, there is a move to targeting smaller financial institutions," he says.

Standard Bank also uses other products to track sites and says the Cyota solution is merely one part of a comprehensive and integrated approach. The bank is planning later this year to launch the option of a "one-time" password.

In terms of this project, a password will be valid for one transaction only, and when that transaction is complete, the user will be sent a new password for the next transaction.

"We don't want to start a war and become a lightning conductor," Singh says. "We just want to protect our customers' information and sense of trust in electronic banking."

* Newsletter e-briefs reports that the US Congress is to consider draft legislation to target phishing. Last week Senator Patrick Leahy introduced the Anti-Phishing Act, which targets both the e-mail bait and the fraudulent Web site by entering two new crimes into the US code. The Bill calls for fines of up to $250 000 and prison terms of up to five years.

Share