[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Thursday, 8 April, 2004, 10:43 GMT 11:43 UK
Phishing con hijacks browser bar
Citibank building, BBC
Citibank customers were targeted by the address bar scam
Scammers are using increasingly sophisticated methods to trick people into handing over personal information.

The latest con uses a fake version of a web browser's address bar to hide a bogus site set up to collect Pin codes for cash machines.

The address bar stays in place and could be used to steal information about other sites too.

Security experts said users should be suspicious of any e-mail that asks them to verify confidential information.

Scam spotting

So-called phishing cons have become increasingly common recently among tech-savvy criminals keen to steal cash from gullible users by making them hand over sign on or account details.

Most phishing attacks involve an e-mail that purports to be sent out by a legitimate organisation, such as a bank, that asks users to enter information on a special site.

Anyone following the instructions will unwittingly be handing over details to conmen who use them to empty the account of cash.

Often the fake websites are difficult to spot because they do a good job of reproducing the website of the company they are impersonating.

Now the Anti-Phishing Working Group has come across an even more sophisticated attack that targets Citibank customers.

This email was sent by the Citibank server to verify your E-mail address. You must complete this process by clicking on the link below and entering in the small window you Citibank ATM/Debit Card number and PIN that you use on ATM
Text from scam e-mail
When users click on the web link in the e-mail of this latest attack, the site they are taken to detects what browser they are using, suppresses the real address bar and generates a fake one to take its place.

This fake browser bar shows the real web address of the firm being impersonated rather than the address of the scam site the user is actually visiting.

"The biggest problem you have when trying to fool people is what appears in the address bar of the browser," said Dave Brunswick, technical director at Tumbleweed and a member of the APWG.

But, he said, this attack removes that problem.

The address bar even acts like a real part of the browser and will direct net users to other website addresses that are typed into it.

The website also fakes the appearance of the webpage code used to create it to make it look more convincing.

One of the few clues that it is a fake is the fact that it does not show a locked padlock icon for the supposedly secure web-browsing session it is supporting.

The grammar and style of the original e-mail is also slightly suspect.

Mr Brunswick advised people to be suspicious of any e-mail message that asked users to supply key login or personal information.

"The idea is to be cynical and ask: 'Why would my bank be sending me this e-mail?'" he said.

There were 60% more phishing attacks in February than January according to the APWG.

Britain sees surge in 'phishing'
25 Mar 04  |  Business
Email hoax targets Bank of England
30 Dec 03  |  Business
How to avoid the phishing bug
23 Jan 04  |  Technology
Virus tries to con PayPal users
19 Nov 03  |  Technology
E-mail fraudsters attack Citibank
19 Aug 03  |  Business

The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific