We are seeing a series of large phishing attack attempts against ANZ Bank.
There are 2 separate and distinct attempts.
The first one uses an email saying ANZ Transactive Website changes pretending to come from ANZ Transactive <Eloi.Dewolfe@transtasman.online.anz.com>
The email looks like:
We would like to announce that the design of our website is going to change in the nearest future. The final changes will be applied on Monday, 11 of January 2016. Until the end of this week you can review the upcoming changes.
While mostly everything will function the same, the look and feel of our website will change.
We understand that this can be an adjustment so we have prepared some frequently asked questions for you to review.
- Will this redesign affect any of my saved bookmarks? Yes, all pages other than www.transtasman.online.anz.com/client/ will need to be re-bookmarked as the web address will change.
- Why did the design of the website change? We felt it was time to refresh the look and feel of ANZ Transactive. You’ll see this new look across all marketing collateral.
- Does the way I sign into my account change? No, the way you sign into your account will not change. However, we have enhanced our security system to make it more difficult for an unauthorized person to access your account.
- I’m having issues accessing my account. What is the issue? You’ll need to add our site to the Compatibility View List: Click on tools Scroll & click on compatibility view settings Type in our address (www.transtasman.online.anz.com/client/) Click add
Please email all questions or concerns to Eloi Dewolfe, Marketing & Communication Specialist: Eloi.Dewolfe@anz.com
The links to this one go to http://transtasman0nlineanz.com/client/ which is very similar to the genuine bank which is transtasman.online.anz.com/ Note the 0 ( zero) instead of an o in the fake name. The site appears down at the moment ( at least from UK & US) but several phishing kits do allow a phisher to restrict their victims to specific IP ranges and countries to get the best return
The second phishing attempt uses A subject saying ANZ Transactive / Refund from Footstar Inc. ( random companies) pretending to come from Whitten, Landon <Landon.Whitten@anz.com> ( appears to be random names @ anz.com) we are seeing lots of these with different companies and amounts for the refund
The email looks like:
Footstar Inc. has just sent you a refund
Tue, 5 Jan 2016 02:46:02 +0100 Transaction ID: 46E11644PD6363822
Footstar Inc. has just sent you a full refund of $77676.96 AUD.
If you have any questions about this refund, please contact Footstar Inc.
The refund will go to your ANZ transactive account. It may take a few moments for this transaction to appear in your account click here.
To see all the transaction details, please log in to your ANZ transactive account or click the link:
Original transaction details
Description Total Insurance Refund to Balance Footstar Inc. $77676.96 AUD —- $77676.96 AUD
Landon Whitten | ANZ | Service Specialist | Global Payments & Cash Operations, Australia Operations Level 29, 100 Queen Street, Melbourne, VIC 3000, Australia Phone: 13 47 89 | Fax: 1800 752 485 | www.anz.com
This e-mail and any attachments to it (the “Communication”) is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 478, or any of its related entities including ANZ Bank New Zealand Limited (together “ANZ”). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.
This one goes to http://transtazmanonlineanz.com/client/ which like the other phish attack mentioned is not accessible from a UK or USA IP number but both have been registered by what is alleged to be a Japanese name and Chinese address which might be genuine or might be totally faked.
Registry Registrant ID:
Registrant Name: Maruto Sisaki
Registrant Organization: private person
Registrant Street: Xiamen
Registrant City: Xiamen
Registrant Province/state: FJ
Registrant Postal Code: 350920
Registrant Country: CN
Registrant Phone: +86.7543203972
Registrant Phone EXT:
Registrant Fax: +86.7543203972
Registrant Fax EXT:
Registrant Email: email@example.com
It is very possible that both sites will come up later when full DNS propagation has taken place