Antispam vendor MessageLabs admits the Commonwealth Bank phishing spam-wave is proving hard to filter out.
An ongoing campaign of Commonwealth Bank phishing email isn't just a nuisance for consumers. It's also proving a considerable challenge for security vendors who can't risk annoying their lucrative bank customers by blocking their internal emails while trying to cut off the scammers.
Since the beginning of May, the Commonwealth Bank has been the subject of an extensive phishing campaign. On May 20, it issued a press release warning customers to ignore any spurious email messages, but the attack has continued gaining in intensity. Users of the bank's NetBank service currently have to click through a message reminding them that the bank doesn't request online confirmations via email before they can use the service.
While many of the emails use standard phishing techniques -- such as asking for account details to be confirmed or claiming that a payment will be made for filling out a survey -- others are more subtle. One asks for payment to be confirmed or declined for adult services, which might lead some righteous citizens to ignore their common sense in a bid to ensure they don't get charged for porn. Another particularly sophisticated approach asks customers to call an Australian phone number which connects to an automated IVR system for collecting account details, a sneaky strategy to try and overcome consistent "we never send emails or ask for details online" messages from all major banks.
However, at a technical level, the sheer variety of messages means that many anti-spam services are finding it impossible to identify all the problem emails, even if their text sounds familiar and seems easy to detect. According to email security vendor MessageLabs (a division of Symantec), in the first week of the campaign more than 22 different core messages were being sent out en masse, with more than 11 variants.
That volume continued to escalate rapidly. "In the last six days we have intercepted approximately 50,000 of them, however as there are just so many different variations and very short pieces of text in the bodies, it makes it difficult to catch 100% of them," MessageLabs support manager Simon Kinsman said in an email last Wednesday. "Our malware team are already looking at an architecture change on how phishing is handled to better our capture rate."
In MessageLabs' case, a second (and less honourable) reason for the blocking problem is that it also counts Commonwealth subsidiary Colonial First State as a customer. "Due to the fact that there are less features to detect than with malicious code attachments and the fact that we have many financial institutions as customers, we cannot be as aggressive with these detections as we are with anti-virus," one support staffer told APC last week.
Commonwealth Bank IT staff might draw some tiny shred of comfort from the fact that it's no longer the only target of the current campaign. In the last 24 hours, phishing emails aimed at St George Bank customers have also been on the rise. But that won't necessarily help the vendors: MessageLabs also counts St George owner Westpac as a client.