Dear Team,It appears the form service you provide is being used in a p

  • Profile Image
    RSA Security
    Asked on September 15, 2011 at 08:19 AM
    Dear Team,It appears the form service you provide is being used in a phishing attack.Please find the HTML/View-Source of the attack attached, in which the fraudster's use of your form service can be seen.Once the victim completes filling out and submitting personal details, your form service is used by the fraudster to send the compromised details to a remote server or email address.Form Information details:form id=12564055048 name=form_12564055048 accept-charset=utf-8 action= method=post sizcache="4" sizset="0" validationset="true" cc="true">Please take the necessary steps in order to disable this fraudulent activity. Dear Sirs1. RSA , an anti-fraud and security company, acting at the direction of The Standard Bank of South Africa Limited (“Standard Bank”), has been made aware that you appear to be providing Internet Services to a website, which is part of a “phishing scam”*. This activity violates Standard Bank’s copyright, trade-mark and/or other intellectual property rights.2. E-mail messages have been broadly disseminated to individuals by a person or entity pretending to be Standard Bank and using Standard Bank’s identity without authorization, requesting the recipients to verify and submit sensitive details related to their Standard Bank accounts. 3. There is a link within the fraudulent e-mail message that leads the recipients to the imposter’s “Standard Bank website” (at the following address to which you provide services and which is under your control. 4. This unauthorized website not only represents a misuse of Standard Bank’s intellectual property rights, but its purpose appears to be to fraudulently obtain personal information of Standard Bank customers in order to access their bank accounts for fraudulent purposes. 5. Please take all necessary steps to shut this site down immediately failing which Standard Bank will take the appropriate action to protect its rights.In addition to these necessary steps, The Standard Bank of South Africa Limited (“Standard Bank”) would like you to set up a redirect to the Anti Phishing Working Group (APWG) Phishing Education Landing Page at instead of serving a 404 message or other error page when you disable a phish site. The APWG Public Education Initiative (PEI) has created a webpage to educate users about phishing. The page specifically explains that they have just fallen for a phishing communication (email or otherwise) and talks about ways they can avoid being victimized in the future. If you wish to learn more about how to set up the redirect, please read here: 6. We also request that you please provide us with a tar/zip file of the source code of this site so that we may analyze it to help prevent further attacks. If any customer data has been captured, we also ask that you send us that data so that we may notify our customers that they have been defrauded and cancel/reissue their credit cards. We understand that you may not be aware of this improper use of your services and we appreciate your cooperation.7. If you need further information please do not hesitate to contact us, as follows:7.1 RSA Anti-Fraud Command CentreRSA Anti-Fraud Command CenterTel: +44 (0)800-032-7751 Tel: +1-866-408-7525 Tel: +353-21-4946601EU Fax: +353 214 938 300EU Fax: +972-9-9728101US Fax: +1-212-208-4644E-mail: 7.2 Standard Bank – Legal ConsultantRefiloe MohopeGroup Legal DivisionAddress: 5 Simmonds Street, Johannesburg, 2000Tel: +27 11 636 6418Fax : +27 011 636-8277E-mail: 7.3 Standard Bank – Information SecuritySheldon BennettStandard Bank Information SecurityTel: +27718704520E-mail:*”Phishing" is an e-mail scam that attempts to trick consumers into revealing personal information, such as their credit or debit account numbers, checking account information, Social Security Numbers, or banking account passwords, through an imposter’s website or in a reply e-mail.
  • Profile Image
    Answered on September 15, 2011 at 08:32 AM

    Hello RSA Security,

    Thank you for reporting this.

    If you can also provide to us more details such as any link that will show the form's actual use, it would be great. It is because as the form looks so bare, it did not look so much obvious, but none the less, I have suspended the account.  The details that you could provide might be able to help us prevent further abuse from other users.

    Here is the screenshot of the form when it was still active:

    Here's the actual link of the form (but no longer viewable):

    If you find more forms similar to these, please do let us know.

    Thanks and warm regards,