Barclays under strong phishing shower

A highly productive phishing scam, with more than 180 messages sent in three minutes, hits a big chunk of the online segment of Barclays members

Various people are wondering what to do now that their bank has been acquired in the wake of the lending crisis. Well, whatever you do, do not click the links in e-mails supposedly sent by your bank.

Barclays’ members will be amazed to find in their inboxes an apparently legitimate message which requires them to check their account details by following a link allegedly directing them to the financial institution’s Web site.

The urgency of the matter is emphasized by the specification that “we temporarily suspended access to your user”. As if that was not enough pressure, the recipients are urged to input their identification data, “in order to avoid further actions”, which are assumed to be limiting their use of the online banking services even more.

The provided link redirects the gullible users towards a fake Barclays Web site, which employs several PHP scripts for pilfering the sensitive data they fill in.

And the phisher gets greedier: after completing the name and membership number, Barclays users are taken to a page where they are supposed to provide very sensitive information, such as their five digit passcode.

In this final step, a request for an apparently trivial piece of information slips in: the first 2 letters of their memorable word. Considering that this detail serves as a password recovery hint for online banking accounts, this last move should make the alarm bell ring quite loudly.

To avoid becoming a victim of phishing attacks, follow the five common-sense tips below:

  • Make sure you always activate or turn on your antiphishing or phishing filter, as well as any other security applications or suites before browsing to your e-banking account. Ideally, you should install, activate and update a reliable security solution.
  • Make sure that the e-banking Web site uses SSL encryption (Secure Socket Layer) and security authentication methods – look for the “https” prefix and the locked padlock. If you are requested to accept a certificate for the session, check that the name on the certificate matches the name of the institution you wish to deal with and that the certificate is signed by a known Certificate Authority before accepting.
  • Avoid using a non-secured computer (like a friend’s desktop or job colleague laptop).
  • Do not check your e-banking account from public computers connected to Internet (like those in a library or Internet Café).
  • If you use a wireless connection, make sure that your connection is secured and encrypted and that you know and trust the owner of the access point; also, refrain from using an unsecured public wireless connection (like those in airports or hotels) when banking over the Internet. Still, if force to do so, use an on-screen (virtual keyboard) to enter sensitive data. Although not 100% bulletproof, this technique would guard your data from average keylogger applications.



Share this