VietNamNet Bridge - Security experts confirmed that the attack was a phishing case, but also said the victim had accessed a fake website and lost a password.

Hoang Thi Na Huong in Cau Giay district in Hanoi reported to Vietcombank and mass media that someone had withdrawn VND500 million from her Vietcombank account, saying that she did not make the transactions, and the ATM card was still in her handbag.

Vietcombank has stated that this was not the bank’s security fault. It said the card holder accessed a falsified website at http://creatingacreator.com/kob/1/index.htm, logged in and lost the password.

Ngo Tuan Anh, vice president of the Bach Khoa Antivirus Center (BKAV), the nation’s leading network security firm, said though the case still needs further investigation, it was a phishing attack. The system recorded all the transactions.

In phishing attacks, hackers send emails with falsified links to victims and tell victims to update information, if not, the victims’ accounts will be locked.

The links hackers send to victims look quite similar to real links, but the addresses must not be the same. When victims enter their personal information and PIN codes, the information will be transmitted to hackers.  Hackers then make remittance transactions. 

There is another way of carrying out attack. Hackers use a device, called a ‘skimmer’, to record information of ATM cards. When victims insert cards into ATMs to make transactions, the information will be recorded on the device.

Security experts confirmed that the attack was a phishing case, but also said the victim had accessed a fake website and lost a password.

Criminals will create the ATM cards with information exactly the same as the information they collect. After that, they can use ATM cards to make cash withdrawal transactions with the PIN codes they can find in cameras installed at ATM boxes. 

According to Anh, in Vietnam, not many phishing attacks have been reported, and the exact number has never been made public.

To avoid phishing, Anh said that card holders need to check if emails are sent from the banks which provide services. Hackers can only counterfeit the interface, but they cannot counterfeit addresses.

Anh also advised customers to type the addresses of links instead of clicking the links. If clicking the links, they may be driven to links which contain malware inserted by hackers.

When asked why hackers still could conduct phishing with the OTP (one time password which is sent directly to customers’ mobile phones), Anh said: “This is the problem Vietcombank needs to explain. However, technologically, hackers still can obtain OTP from customers, though this will be complicated to do.”


VTC