Standard Bank has shut down a Web site at the centre of a phishing attack launched early this morning.
Phishing is the practice of tricking consumers into revealing their online passwords and other information by luring them to fraudulent sites that appear to be those of banks or other legitimate businesses.
The latest mail read, in part: "This e_mail was sent by the Standard Bank server to verify your email address. You must complete this process by clicking on the link below and entering in the small window your Standard-Bank account information. This is done for your protection - because some of our members no longer have access to their email addresses and we must verify it."
Louis Lehmann, director of IT security at the bank, says Standard identified the site in question "in the eastern bloc".
"The site has been taken down," he says, adding that six other sites serving to redirect users to the primary site have also been shut down.
Standard Bank announced in March that it had shut down eight "phishing" Web sites in four weeks. All eight sites were based offshore and were spoofs of the Standard Bank site, with bogus URLs like "standbank.com".
Lehmann says the bank is still using New York-based Cyota`s FraudAction anti-phishing service, which includes various modules which detect incidents, analyse the severity of the attack and how to respond, shut down the spoof sites and contact Internet service providers.
"As another countermeasure we also check all incoming e-mails. We have also communicated with our customers, reminding them that we never ask for personal details like passwords and PINs, and encouraging them to use the one-time password."
Standard`s one-time password is a two-factor authentication method, in terms of which the delivery of a second password occurs independently of the Internet banking session used by the client.
The second password is system-generated and delivered to the client`s cellphone or e-mail address. The one-time password is used for profile updates, PIN resets, beneficiary additions and amendments, or for one-off payments.
Related story:
Standard nets phishing sites