Company Charges Bank Over Phishing Attack

Experi-Metal Inc. or EMI, a U.S company that supplies metal has sued America's Comercia Bank alleging that it exposed its customers to phishing attacks.

EMI, via its lawsuit, claims that Comercia Bank regularly dispatched electronic mails to clients telling them that they must follow a web-link for updating the security system involving digital certificates, which the bank utilizes for validating online customers.

Cashing in on this notice, the phishing scammers have been e-mailing a message, which states that the sender is the recipient's bank and that the institution is requesting the user to make his digital certificate up-to-date. In fact, the ruse has been typically used since years for duping people so that they hand over their credentials alternatively, download malware onto their systems. Moreover, the scammers have been employing several malware families designed to seize victims' digital certificates.

On January 22, 2009, a worker of EMI got trapped via a spoofed e-mail that purported to be from Comercia. The message said that the bank was required to conduct routine maintenance of the software meant for its online customers. Therefore, the e-mail said, the worker must access a given Web-link, which, however, took him onto a fake banking site resembling Comercia's. The spoofed site asked for his username, password along with other sensitive details.

Consequently, online thieves instantly started transferring money from EMI's account. During the period, 7:30am-10:50am, the phishers managed to make 47 wire-transfers destined for Finland, Scotland, Estonia, Russia and China.

Alleges EMI, Comercia queried regarding the wire-transfers at 10:50 am. Although the company asked Comercia to halt any further transfer approvals till the time it gave fresh notice, thieves carried out an additional 38 transfers during the subsequent 3-hours.

Moreover according to EMI, the Bank's counter-measures were insufficient, as the phishers managed to bypass its two-factor validation system. But Comercia disagreed that the fake Internet site enticing the EMI worker resembled the bank's actual site.

Meanwhile, in a similar instance during September 2009, an Illinois couple legally fought Citizens Financial Bank over an alleged non-enforcement of 2-factor authentication by the bank, which resulted in the couple losing $26.500 to fraudsters.

Related article: Companies Should Report Cybercrime

» SPAMfighter News - 2/18/2010