New email banking scam one of the most convincing yet

NAB customers need to be on the lookout for a sophisticated and extremely convincing new email scam.

The 'phishing' scam has been detected by cyber-security company Proofpoint but, at the time of writing, doesn't yet appear on the NAB fraud warnings site. 

Most phishing scams, emails sent to fool bank customers into divulging sensitive information, can be straightforward to detect by algorithms or even simple examination, this scam is said to go further than usual.

How to identify the scam:

1. A very real looking NAB email is sent to Aussies about account suspension. The attacker replaced the letter 'o' (in verification) with a 'circle' to avoid detection by anti-spam filters.

Supplied

2. Unsuspecting customers open the attachment and click on the link which is a
very real looking URL, same as the genuine one: https://ib.nab.com.au/nabib/index.jsp

Supplied

The html source code even says it would hyperlink to the legitimate ib.nab.com.au.

3. The user is then shown a page that looks like the NAB login page, the URL also appears legitimate with the same ib.nab.com.au address (one of the reasons why you can't tell it's a phishing attempt) -- this is because the HTML doc calls an external JavaScript which changes the text in the address bar.

Supplied

Phishing kits use a variety of encoding and JavaScript to prevent both users and security vendors from determining that the landing pages are anything other than harmless text or benign functions for rendering HTML - this is called an obfuscation technique and is becoming more popular in these types of attacks.

4. The phish does not stop with login credentials. When the user provides a username and password, they will be redirected to an additional fraudulent page to squeeze more info out of the victim.

Supplied

5. The user completes this page and clicks Continue to be redirected to the legitimate National Australia Bank website. The user is none the wiser until it's too late.

The attacker gets: bank login information, personal and contact details, credit card details, and more. 

"Australian companies spend millions of dollars annually training their employees to spot phishing attempts, Proofpoint's Managing Director, Tim Bentley said.

"While this is a sensible precaution, the new breed of attacks like this fake NAB one make it increasingly hard for the recipient to make the right call and hit delete or report. "

A German university recently found 56 per cent of email recipients clicked on any links they receive, even from strangers, due to curiosity, even if they knew the dangers.



1000 JOBS: $1b project to prioritise local workers, business

premium_icon 1000 JOBS: $1b project to prioritise local workers, business

Coal gasification project's jobs overview for Gladstone.

REVEALED: Massive new $1b project planned for Gladstone

premium_icon REVEALED: Massive new $1b project planned for Gladstone

JOBS: Australia-first energy project gets fast track.

LISTEN: Cerebral palsy can't stop Gladstone ice hockey star

premium_icon LISTEN: Cerebral palsy can't stop Gladstone ice hockey star

School teacher pumped to represent Australia.

Local Partners