Breaking Attack: St George Bank Phishing Email Scam

Posted by Annamaria Montagnese on 25 May 2016 14:53:15 AEST

A zero-day phishing scam has hit Australian email users in a bid to steal online banking and phone banking credentials. The phishing email purports to be sent from ‘St George Internet Banking’.

At the time that this threat was detected by MailGuard, no other antivirus vendor was blocking the malicious URL contained within the email. MailGuard is consistently between 2 to 48 hours ahead of competitors in blocking zero-day or new variants of phishing scams.

Here is a sample of the phishing email:

MailGuard_St_George_Bank_Phishing_Email_Sample_May_2016.jpg

The email is not addressed to the email recipient specifically, and states that their account has been suspended due to a profile error. In order to resolve the supposed issues, the recipient is asked to click a link within the email.

The URL points to a hacked Australian website, where a landing page has been built to host the phishing scam.

Here is a sample of the landing page which looks similar to the legitimate St. George internet banking login page:

MailGuard_St_George_Bank_Phishing_Email_Landing_Page_Sample_1_May_2016.jpg

The cybercriminals behind this attack are seeking standard banking credentials on the first page. Clicking ‘Log On’ takes the user to a second phishing page which seeks further information:

MailGuard_St_George_Bank_Phishing_Email_Landing_Page_Sample_2_May_2016.jpg

This attack is quite typical of most phishing emails, and if successful the cyber criminals will yield a significant amount of personal information from victims, including;

- Credit Card Numbers
- Security Numbers
- Internet Passwords
- Verbal Passwords (for Phone Banking)
- Date-Of-Birth
- Drivers License Numbers, and
- Mobile Phone Numbers 

Some giveaways that the scam is fake include:

  • The URL for the St. George Online Banking website is not the legitimate URL https://ibanking.stgeorge.com.au/ibank/loginPage.action
  • You can see in figure 2 that one of the images is distorted, and
  • In figure 3, the HTML is not laid out correctly and there are errors that a keen eye should be able to easily discern.

St.George Bank offer tips on their website on how to be smart online.

How can I protect myself from these types of email scams?

To protect your business against scams like these phishing emails impersonating banks:

  • Beware of emails that contain grammatical or branding errors, but purport to be from reputable organisations that you weren’t expecting
  • Are not addressed to you personally
  • Always hover your mouse over the links contained in emails in order to check their legitimacy – don’t click them unless you are sure they are safe
  • To ensure complete safety, type the URL into your browser or navigate through Google search to find the actual website and enter your credentials
  • Be particularly wary of emails asking you to supply personal details that the purported organisation should already know, especially those which ask for credit card or bank account details

If you are ever unsure if an email is legitimate, contact the bank directly before filling any details in online or clicking links contained within an email.

Adding a cloud-based email filtering solution will reduce your business’ risk to staff falling for scams and possibly giving cyber criminals access to your company bank accounts.

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates

^ Back to Top

Topics: Phishing Cyber Criminals email scam Email Spam Scam St George St George Bank

Back to Blog

Comments:


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all