Tag Archives: BARCLAYS PLC

Phishers Force UK Banks To Delay Transfers

Another sign that phishing is taking its toll on the quality of service banks can offer online customers: The Times reports that UK banks are introducing delays in intra-bank payments to try to combat fraudulent transfers caused by phishing attacks:

This week Barclays introduced a one-day delay for transfers. A spokeswoman said: “This delay enables us to carry out checks that seek to prevent fraud.” Halifax also introduced delays in the processing of payments this week, as have Royal Bank of Scotland and NatWest, The Times reports today.

Interesting. Inevitable, perhaps, but this degradation in service can only force some customers back to the physical banks, or to less appealing and less cost-effective services like phone-banking. Running checks on every Internet transfer is going to be time-consuming and expensive for banks. What does this do to banks’ hopes that online banking would effectively replace the high street bricks-and-mortar model?

Phishers Raise The Bar

Phishers can now access banking websites that use an extra ‘keylog-proof’ security layer.

For several months phishers — folk fooling you into giving up valuable passwords — have used keylogging software which will capture passwords and user names as you type them into banking and other financially-oriented sites. But these aren’t much use against websites that use extra layers of security that don’t require the user to type anything, but instead click on something. At Britain’s Barclays bank, for example, users are required to select from a list two letters matching a pre-selected secret word. Keyloggers aren’t any use against this, since there’s no keyboard clicking taking place and so no letters or numbers to capture.

Enter a key kind of phishing trojan, documented by the ever vigilant Daniel McNamara of Code Fish. While capturing keystrokes like other keylogging trojans, this one also captures screen shots (images of whatever is on the screen) and sends them along to a Russian email address. It captures a host of other goodies too, including whatever text the user happens to copy to the clipboard while they’re accessing the banking website in question (A smart move: Users often copy their password to the clipboard and then paste it into the appropriate field.) The target in this case? Barclays bank.

As Daniel points out, it seems as if this trojan has already been spotted. Symantec and other anti-virus vendors have in the past week referred to it, or something like it, calling it, variously, Bloodhound.Exploit.6, W32/Dumaru.w.gen, Exploit-MhtRedir and Backdoor.Nibu.D. And Barclays may be referring to the scam when it warns its users that “Some customers have been receiving an email claiming to be from Barclays advising them to follow a link to what appear to be a Barclays web site, where they are prompted to enter their personal Online Banking details.” (Although in fact the email in question doesn’t do this: It disguises itself as a web hosting receipt, and makes no mention of Barclays or online banking. The victim is instead lured by curiosity to a link in the email which takes them to a website that downloads the trojan in question.)

But none of these messages indicate the seriousness of this escalation. Whether this phishing trojan is just a proof of concept or specific attack against Barclays, it should send some serious warning signals through both the anti-virus industry and the online banking world. Phishers are getting smarter, and getting smarter quick. As Daniel himself writes, “This is a huge step in the phisher trojan evolution…This well-designed trojan should make anyone who has complete faith in visual selection systems a little bit worried.”

Counting The Cost Of Online Crime

Phishing is beginning to bite.

British police at a high-tech crime congress (noted by USC Annenberg Online Journalism Review) say that 83% of Britain’s 201 largest companies reported experiencing some form of cybercrime. The damage has cost them more than £195 million ($368 million) from downtime, lost productivity and perceived damage to their brand or stock price.

Much of the damage is being done to financial companies, three of whom lost lost more than £60 million ($130 million). Phishing has hit banks like Barclays, NatWest, Lloyds TSB and 50 other British businesses, Reuters quoted Len Hynds, head of Britain’s National Hi-Tech Crime
Unit (NHTCU) as saying.

Of course, it’s probably much worse than this. Most companies don’t report ‘cyber-crime’ to the police for fear that making the matter public would harm their reputation.  The National Hi-Tech Crime Unit (NHTCU) said that of the companies hit by cyber-crime, less than one-quarter reported the matter to police. But that’s better than two years ago, when NO companies were reporting.

Security experts warn that a new wave of cybercrime attacks will be nastier than what companies have already experienced. David Aucsmith, chief technology officer for Microsoft Corporation’s security and business unit predicted criminals would target banking systems, company payroll and business transaction data.

Here are some other interestnig facts from Bernhard Warner’s Reuters report:

  •  Seventy-seven percent of respondents said they were the victim of a virus attack, costing nearly 28 million pounds.
  •  Criminal use of the Internet, primarily by employees, was reported by 17 percent of firms at a cost of 23 million pounds.
  •  More than a quarter of firms surveyed did not undertake regular security audits.