The Commonwealth Bank has engaged the Australian Federal Police to shut down a sophisticated fraud network targeting its customers, which includes a compromised Queensland telephone number.
The phishing attacks have bypassed some spam filters and direct users to imitation Commonwealth Bank Web pages with the promise of tax and credit refunds, or ironically to address purported account security problems.
In one e-mail, users are directed to call a Queensland telephone number which issues a greeting ostensibly from the Commonwealth Bank and prompts users to enter account information unlock restrictions.
A spokesman for the bank said its security team is liaising with the federal police to identify the fraudsters and shut down the six offending Web sites.
He said the High Tech Crime Centre, part of the federal police, has terminated one Web site.
The bank said it had received calls from hundreds of customers inquiring about the scams, and has issued a warning screen on its Web site to customers.
Security consultancy assurance.com.au director Neal Wise said the Queensland phone number could have been registered with false details despite the requirement for providers to verify identification.
“They have to be able to associated a number to an individual or body corporate, but quite often that information is taken over the phone, and it can be a bit of an honour system,” Wise said.
“VoIP (Voice over Internet Protocol) providers need to collect identification even for an inbound phone service... but the [perpetrators] won't include their home phone numbers and wait for the police to show up.”
One security consultant, who requested anonymity, said a local ISP may have leaked e-mail addresses as the scams are highly effective at hitting e-mail addresses own by Australians.
He became suspicious after receiving phishing e-mails in a number of accounts without .au suffixes, and suggests a dodgy ISP employee may have leaked customer data.
“Registration for domain names is so easy, so at best closing a domain would take longer than a week; it depends how cooperative a country's law enforcement is... some countries even encourage ripping off Westerners,” he said.
Sophos head of technology Paul Ducklin said much of the success of the phishing scams is due to a mass spam campaign.
“Some are getting through but loads are being blocked, too. At the same time, I'm not seeing more than the usual number of phishes (blocked or unblocked) against other institutions. Seems to be a concerted, high-volume effort against CommBank's brand.”
An Australian Federal Police spokeswoman confirmed it is working on eliminating the scams and said in a written statement it has noticed a reduction in phishing Web sites over the last 18 months.
“The use of phishing sites and malware is often successful, resulting in a loss of money to the victim or the victim's bank,” she said.
Federal law enforcement is tackling online fraud through the police and industry Joint Banking and Financial Sector Investigation Teams established last year in Melbourne and Sydney.