Crime Branch Advisory
The Nigerian Scam
UTI Bank hooked in a phishing attack
14 February 2007
Fraudsters of cyberspace have reared
its ugly head, the first of its kind this year, by launching a phishing
attack on the website of Ahmedabad-based UTI Bank, a leading private
bank promoted by India' s largest financial institution, Unit Trust
of India (UTI).
A URL on Geocities that is almost
a facsimile version of the UTI Bank's home page is reported to be
circulating amongst email users. The web page not only asks for
the account holder's information such as user and transaction login
and passwords, it has also beguilingly put up disclaimer and security
hazard statements. "
In case you have received any e-mail
from an address appearing to be sent by UTIBANK, advising you of
any changes made in your personal information, account details or
information on your user id and password of your net banking facility,
please do not respond. It is UTI Bank's policy not to seek or send
such information through email. If you have already disclosed your
password please change it immediately, " the warning says.
The tricky link is available on http://br.geocities/
If any unsuspecting account holder enters his login id, password,
transaction id and password in order to change his details as 'advised'
by the bank, the same info is sent vide mailform.cz (the phisher's
After investigation, we found that
Mailform is a service of PC Svet, which is a part of the Czech company
PES Consulting. The Webmaster of the site is a person named Petr
Stastny whose e-mail can be found on the web page.
Top officials at UTI Bank said that
they have reported the case to the Economic Office Wing, Delhi Police.
The bank has also engaged the services of Melbourne-based FraudWatch
International, a leading anti-phishing company that offers phishing
monitoring and take-down solutions. "We are now in the process
of closing the site. Some of these initiatives take time, but customers
have been kept in the loop about these initiatives, " said
V K Ramani, President - IT, UTI Bank.
As per the findings of UTI Bank's
security department, the phishers have sent more that 1,00,000 emails
to account holders of UTI Bank as well as other banks. Though the
company has kicked off damage control initiatives, none of the initiatives
are cent percent foolproof. "
Now there is no way for banks to
know if the person logging-in with accurate user information is
a fraud," said Ramani. However, reliable sources within the
bank and security agencies confirmed that the losses due to this
particular attack were zilch.
The bank has sent alerts to all its
customers informing about such malicious websites, besides beefing
up their alert and fraud response system. "Engaging professional
companies like FraudWatch help in reducing time to respond to attacks,"
said Sanjay Haswar, Assistant Vice President, Network and Security,