Three Florida banks have had identity-theft attacks launched from their own websites.
Earlier this month, attackers were able to hack servers run by the ISP that hosted three small banks' websites. They then redirected traffic from the legitimate Web sites to a bogus server, designed to resemble the banking sites, according to Bob Breeden, special agent supervisor with the Florida Department of Law Enforcement's computer crime centre.
Users were then asked to enter credit card numbers, PINs and other types of sensitive information, he said.
"The bad guys have created a way to take away the safety of typing the address of your bank," said Breeden. "We have to address it now and say to people, 'Even if you do go to your online bank's website, you need to be very careful.'"
The attack was similar to phishing attacks that are commonly used against online commerce sites, but in this case hackers had actually made changes to legitimate webstes, making the scam much harder for regular users to detect.
Instead of clicking on a bogus web link in an e-mail, the attack hit users who had entered the correct URL for the banks in question. According to Breeden, the affected banks are Premier Bank, Wakulla Bank, and Capital City Bank, all small regional banks based in Florida.
Breeden said he had not seen this particular tactic used before. He called it a troubling development.
Though Breeden believes that the scam was only operational for "a matter of hours," and probably affected fewer than 20 banking customers, the technique appeared to be very effective at extracting sensitive information. "Probably some very smart people fell for this," he said.
The banks' ISP, ElectroNet Intermedia Consulting, does not house consumer data, so any information obtained by the hackers would have to have been provided directly by victims, the service provider said.
The Florida Department of Law Enforcement is investigating the crime with the help of ElectroNet and the affected institutions, ElectroNet said.
The hacking was contained within an hour of being detected, according to the ISP. However, ElectroNet did not say when the attack began or how much time had passed before it was discovered.
Although scammers have traditionally hit large financial institutions with phishing attacks, that is now changing, according to Rich Miller, an analyst with Internet research company Netcraft. "Lately we've seen phishing attacks move down the food chain and target much smaller, regional banks," he said.
Smaller banks such as those in the Florida scam can sometimes make easier targets, Miller said. "The big banks are able to put more resources into securing their sites," he said.
Like Breeden, Miller had not seen this type of attack attempted previously.
The three banks in question could not be reached to comment for this story, but Premier Bank is now asking customers to change their passwords after the bank was notified of a phishing scam, according to a note on the company's website.