New Page 3

by Times of Oman

MUSCAT — A top Omani Internet expert has warned that Internet pop-up scammers were targeting bank customers around the world and fooling them into revealing personal account details.

“It is the easiest, newest and cheapest way by making use of the electronic mail and the Internet to fool people, especially when Internet banking is widely promoted by every bank.

“It has happened in Australia and I have heard that such scammers were making their way into the Omani Internet banking scenario,” Tariq Hilal Al Barwani, a prominent net expert who is now doing his Master’s in Information Technology, told the Times Business in an e-interview yesterday.

The scamsters’ modus operandi was to use an electronic e-mail to trick/fool the recipient into revealing his/her critical information.

“It is called ‘phishing’ (pronounced fishing), and is used to define a person who uses e-mail to deceive the recipient into revealing his/her personal information. Here, the fisher is the hacker, the bait is the e-mail (the trick) and the customer is the fish.

“Currently, ‘phishers’ are targeting banks (Internet banking users),” he said. Tariq, who has been doing research on this topic during his Internet security course as part of his Master’s Degree in Information Technology in Australia, said the scamsters used near-foolproof methods to draw unsuspecting bank customers to reveal their critical information.

“The ones behind this are very smart and clever — I have seen the pop-ups and they do look quite genuine,” he said.

Tariq also explained how it worked: “An e-mail is sent to a customer, which appears to have come from a legitimate source (i.e., the bank). The e-mail looks pretty genuine and official. The colour scheme is just about right and it carries logos, graphics, letterheads, etc.,” Tariq said.

He also gave an example of how such an e-mail would look like: The e-mail would look as if it came from some bank. For example: tech.support@(banksname)-.com.

Followed by such text, the intention was to draw immediate attention: “Technical services of the (banksname) are upgrading the software. We earnestly ask you to visit the following link to confirm your data in order to avoid blocking of your access: http://www.banksname.com/ This instruction has been sent to all bank customers from all countries and is obligatory to follow.”

The (banksname), which comes as the link of e-mail is replaced and could be given the names of any of the local banks in Muscat, which has Internet banking facility.

According to Tariq, there are hordes of such examples, and all look very professional and real.

What happens when the user clicks on the url link in the e-mail is that they are taken to the fake site that fools them into filing out their account details — account number, credit card numbers, passwords or PIN numbers.

“Hackers or ‘phishers’ hijack the address bar of your Internet browser (be it the Internet Explorer, Netscape or others) by making it appear that the customer is visiting the bank’s site, but what actually happens is that it directs him/her to a fake site that happens to look exactly as his/her Internet banking site.”

Many customers from four major Australian banks — ANZ, Commonwealth Bank, National Australia Bank and Westpac — were fooled by such e-mails. “The e-mails appear and look as though it is coming from the bank in which it alerts the customer to the fact that a certain amount of money has been transferred out of their account. The e-mail provides a link as well. This link takes the user to a genuine looking bank website where the user is asked to key and fill in their Internet banking account details. “But, of course, the site is nothing but a fake one although it is designed to look identical,” Tariq said.

According to him, all scam and phishing e-mails have the following traits:

l sender e-mail address

The e-mails would usually be like this: Bank.operation@(bankname).com.

The ‘bank.operation’ could be anything from a staff name to a department of the bank, but the (bankname.com) will usually be faked or forged bankdomain address and could even give the names of the local banks.

l subject line It is randomly generated, but specifically to a targeted bank. Example:

l urgent information from ‘X’ group (where ‘X’ denotes a bank’s name)

l notification of transfer from your bank account

l important security information from ‘X’ (where ‘X’ is the bank’s name)

l Warning from ‘X’ bank (‘X’ is the bank’s name)

l Notice to all ‘X’ bank users

l Content of the e-mail: “Phishers use targeted bank’s images and text styles (logo, fonts and formatting style) to portray their e-mail as genuine. The content does not specify the you, the customer’s, name, but instead address you as a general customer (as it is targeted to all, but not specifically you).

An example of such an e-mail would be:

“Dear customer,

“Our new security system will help you to avoid frequently fraudulent transactions and to keep your investments safe.

“For reasons of technical updating, we ask you to confirm online your banking membership details.

“Please follow the link below and fill out the form: http://www.(banksname).com/logi”

“Tariq said that he was aware of users having received such e-mails, which were disguised as though they were emanating from a local bank. “I have personally received quite a few from my Omantel account,” he said, citing an example of an email he had received.

“E-mail address: support@(banksname).com

“Subject: Important fraud alert from (bank’s name).

“I will not be surprised if local banks with Internet banking facility would not be targeted. Customer oriented banks would by now have already put a notice on their websites to alert customers,” Tariq said.

The motive of these scamsters were very simple: “To make money. By tricking users obviously,” Tariq said.

Steps to counter ‘phishing’

Tariq Al Barwani has given users some quick measures to counter the phishing menace:

l Never entertain e-mails, which ask for user accounts. As far as I know banks will never send out e-mails asking for your account details. If you are unsure as to what to do, call the bank and cross check.

l Do not click on the website links on any e-mails, because what you click is not necessarily where you will end up going. There’s a way to hack browsers by hijacking the link. Instead, directly type in the link in the Internet browser address bar. (Note, clicking and typing are two different ways of accessing a link.).

l Make sure that you use an anti-virus, firewalls, and adware/spyware programmes to help alert you with such attacks.

l Review credit card and bank account statement as soon as you receive them to check if there are any authorised charges.

l Do not reply to such e-mails.

l Be careful about opening any attachment or downloading any files from e-mails you receive, regardless of who sent them.