NBK online banking customers targeted by phishing attack
Phishing attack attempts to steal account details of National Bank of Kuwait online banking customers
National Bank of Kuwait online banking customers have been targeted by a phishing scam that attempted to steal account details.
The phishing attack, which first came to light on Sunday morning, took the form of an email that appeared to be from NBK, claiming that the bank has lost the details of two million bank accounts, and asking customers to re-register their details. A link in the email then led would-be victims to a copy of the NBK website, and then to a fake log-in page.
NBK reports that the fake website was taken down within hours of the attack being detected, and that no losses were suffered by the bank or its customers from the attempt.
Tamer Gamali, Chief Information Security Officer, at NBK told itp.net: "We have noticed over the last twelve months an increase in phishing attacks on banks in this region, including us, even though we are still very small fish for phishing, compared to the number of attacks suffered by global banks.
"However, we take this seriously, so have round-the-clock monitoring and take down service outsourced from a company called Cyveillance, and with the latest case, we had the [fake] site down in a matter of hours," he added.
Gamali said that the scam was one of the most sophisticated phishing attempts that has been targeted at NBK, including the replication of two web pages and inclusion of text on the fake web page to make it look more credible. At the same time, the email claimed that two million customer accounts had been lost, far more online banking customers than the bank has, Gamali pointed out, and the fake site even included warning notices from NBK about not responding to email requests for account details.
Alongside its own internal security measures and campaigns to raise customer awareness of online security issues, Gamali said that Cyveillance's outsourced security services are proving to be essential in enabling the bank to get fraudulent sites removed very quickly.
"We are probably the only bank in Kuwait to take on anti-phishing and brand protection services. We took them on six months ago as we could see an increase in threats," he said. "The challenging part is getting the site taken down, it can take a while depending on the response of the hosting company, and where they are based. There are gaps in the rules and laws, and until the governments co-ordinate the laws, the rules for taking down sites are not crystal clear."
Ian Cochrane, marketing manager for Southern emerging markets for Trend Micro said that phishing attacks are increasingly common in the region.
"This is a classic example of a phishing attempt, and we are seeing these sorts of emails two, three, four times a week for emerging markets. These attacks typically send out a massive amount of email, and even if just one percent responds, it's working. We are seeing more attacks on emerging markets, but it is difficult in this type of market to get data on them," he said.