Bank Re-branding – Criminal Exploitation

ABSA Bank, from whom Barclays has dis-invested, re-branded the bank with a new logo and with some fanfare.  As expected the criminals are waiting for such events to exploit bank clients during the ‘transition’ phase.  The interesting fact here is that the compromised sites with the Phishing exploit code is mostly in South Africa.  This shows that the fraudsters are actively thinking about their attack vectors.  If an unsuspecting ABSA client clicks on the Phishing email and he is directed to a local site, it will see valid and the risk of account compromise is higher.

Compromised site

One of the emails received contained a link to a local ( site called http://absaonlineupgradeservicesecure(.)co(.)za and reviewing the registration details, it is noted that this site was registered on behalf of a client through MWEB.

Planning process

Having obtained the source code from a compromised site, the analysis was quite simple and it seems that the ‘hackers’ are not that complete by closing access to the compromised site.  On one

Possible fraudster source in Ghana

of the sites, we noted a text file that contained the results of the Phished users.  There were also many test IP addresses which possibly virtual shows the source of the hackers.  This was noted to be from Ghana.

Within the text file, there was account numbers with PIN.  This information was forwarded to with all personal contact details in case they needed to complete this for verification.  No communication received after a week. (update: Communication received after 9 days)

The problem exists that it is not possible to educate all of the users to NOT CLICK on a link as the Internet was designed to click links. 

Two approaches to combat cybercrime must be followed and that is one from the end-user and the other from the bank.  This is not an exhaustive list, but will help to secure the eBanking process and make life for fraudsters more difficult.

End-Users (Bank clients) needs to be educated and this is an ongoing process.

Text file of compromised accounts on the compromised server

The bank can use technology to combat online fraud and some of the steps include:

  • Monitoring for increased access of the bank logos in relations to referenced pages.  This will only indicate a possible new Phishing campaign and allow the active monitoring to be placed in a higher level of readiness
  • Monitoring of client accounts from outside normal IP addresses.  For example if the source IP is outside South Africa (in this case), additional authentication should be required.
  • The bank should get actively involved with fraud notifications.  I have had two experiences now where two different banks do not respond.  The other was a possible fraud on a credit card and one of the options was block and phone the client back.  This never was done. (Not ABSA here)
  • The positive for ABSA here is the 2nd level access which the user selected passphrase is broken up into multiple selections.  This makes it more secure against actual compromise.
  • Banks also need to supply 2-factor authentication at all times to ensure that a physical token (mobile phone as an example) is required at all times.  I did experience problems with ABSA while travelling outside the country with the SecureCheck mobile app. Acknowledgement never was delivered and could not do any transactions.

This does not exclude the fact that the fraudsters may use other methods, such as a phone call or social engineering, to obtain information that is lacking to complete the fraud.

We have to acknowledge that some major changes has to take place in order to make it more secure for the end-user.  Combating fraud is a leap-frog exercise where bank security specialists have to be highly skilled and dedicated.