Feeds

Gone Phishin'

Tactics to curtail email scams

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Analysis It seems that you're nobody in UK banking unless your customers have been targeted in phishing scams.

In recent weeks customers of Barclays, Lloyds TSB, Nationwide, Halifax and Citibank have all been targeted with scam emails which attempt to trick unsuspecting punters into handing over sensitive account information to fraudulent sites.

The problem reaches new heights over the last week with scam emails, using almost the same text in each case, trying to hoodwink users into handing over sensitive details to fly-by-night fraudulent sites hosted in Russia. Some of these emails (which pose as security checks) targeted customers of organisations - such as Barclays and Lloyds TSB - that cropped up in previous phishing scams.

Typically these fraudulent emails (example here) are sent to numerous people using spamming software in the hope of reeling in a few victims. By blind chance, some of these emails reach customers of targeted organisations.

Cutting the phishing lines

Banks commonly advise their users to ignore the scam emails. But what else can be done?

Reg reader Brian Blackmore has a simple and elegant suggestion.

"With all these 'fake' bank sites, is it not about time that the banks introduce a user level way of us being sure that it is them," he writes.

"For example, in the NatWest website you have to tell them your date of birth plus a number, which uniquely identifies you, if after entering this the website could reply by telling you what your favourite band was, or some sort of similar unique but not non-security breaking information which would make you sure that it really was their website."

The true destination of scam email is commonly disguised by fraudsters by attempting to trick people into visiting sites with misleading urls of the form www.highstbank.co.uk@fraudsterscrooks.ru. As explained here, the weird looking address takes of the fact that anything between "http://" and "@" is completely irrelevant.

The feature has legitimate users in authentication but Reg reader Steve Lloyd is amongst those who wonder if it is beginning to outlive its usefulness.

Lloyd writes: "Why on earth do web browsers continue to follow this rule when all it seems to do is make some unknowing individual's life a misery? Why can't a browser reject such addresses as improperly formed, or at least pop up a warning showing us where we're really about to be taken? At least that way people have a chance to see through the scam, and you never know, the scammers may just hang up their phishing lines!"

Or maybe the phishing lines of scammers should be cut.

Coding activists have developed a script that responds to phishing emails with realistic-looking junk. The idea is if fraudsters are swamped with useless information the scam will lose its effectiveness.

Vendor bandwagon picks up momentum

Security vendors are, needless to say, never slow in spotting on opportunity to promote ways in which their products/ services could help address topical problems. Here are some suggestions of this quarter.

This month anti-spam outfit Brightmail announced an anti-fraud service to protect companies and customers from online crime including 'brand spoofing' and 'phishing'. The idea is that by subscribing to the service, companies that become the subject of fraudulent emails will get early notification of fraudulent emails captured by the firms extensive probe network. Only subscribers of this service will receive such notification, Enrique Salem, Brightmail president and chief exec, told The Reg.

Comodo, the security firm best known as a supplier of digital certificates, is approaching the problem from a different angle.

The company has released a free tool, called Verification Engine, designed to verify website content and SSL connectivity whilst helping to identify fraudulent/spoofed websites. It's an interesting idea but not without its limitations: only IE is supported and only digital content signed by Comodo can be verified using the tool.

Whatever our reservations about the limitations of current anti-phishing technology, it's clear that email scams are a growing problem. It's certainly disruptive. Halifax made a decision to temporarily close its website and NatWest restricted third party payments from customer accounts after each was targeted in phishing scams.

Spam accounts for more than 50 per cent of all email messages sent over the Internet and is increasingly being used for criminal activity in the US and Europe, according to Brightmail.

Brightmail reckons that various forms of scams account for one in ten of the spam messages it blocked in August, with 17 per cent of these involving identity theft or phishing scams. Put another way: almost one in 50 emails is now taken up with attempted ID theft.

Brightmail's Enrique Salem guesstimates that scammers only need one in a million respondents to phishing emails to make the con worthwhile. Figures on respondents are notoriously hard to quantify but, quiet apart from the number of people ripped off, we need to be concerned about the damaging effects phishing scams can have in public confidence about ecommerce.

Anatomy of a scam

Following the increased prevalence of such scams over the last two months, the National Hi-Tech Crime Unit and leading banking associations APACS and the BBA earlier last week issued a checklist for UK consumers designed to help them protect themselves against Internet fraudsters.

The NHTCU warned last week that phishing (conning people into giving access details to online bank accounts) is only the first part of a two-stage scam.

The second phase of the scam involves trying to recruit British people with online accounts to act as agents to transfer money abroad. This is necessary because the fraudsters themselves are located outside Britain and therefore unable to transfer cash from their victims' accounts directly.

The NHCTU, in commons with security consultancy NTA Monitor and others, argue that user education is the necessary first step in reeling in phishing scams.

Financial institutions also have a role to play, according to Peter Dorrington, head of fraud solutions at SAS.

He advises business to routinely trawl the Internet for domain names similar to their own and to register all likely permeations of a domain name to ensure the fraudsters options are limited. (Not directly relevant with the latest scams but still good advice).

"Businesses can monitor all activity into call centres and web channels and proactively use technology as an early detection method to monitor for a sudden rise in activity being transferred out of accounts," he adds.

While we are on the role of banks in blocking phishing scams it would be rude not to refer to Halifax Bank's interesting decision to shut down its website for two days after its customers were targeted by phishing emails.

The recent Russian phishing scams load the real Barclays/Halifax/Nationwide etc. pages in one browser window along with a pop-up site from the fake site requesting account details.

Rather than closing down their entire ebanking operations - as Halifax did - we think Nationwide took the wiser course in putting up a warning to customers on the page from the legitimate site the fraudsters email loaded.

Many Reg readers have questioned how taking down its own site down prevented foolish Halifax users giving their banking details to the scammers. True, the scammers wouldn't be able to do anything with this information immediately, but what happens when the site is put back online again? Surely the main thing is to get fake sites removed as quickly as possible.

The issue of education and phishing scams extends beyond the public, it appears. ®

Related Stories

Halifax suspends e-banking site after phishing attack
Email scammers target Halifax, Nationwide, Citibank
UK banks and police proffer anti-phishing advice
NatWest customers targeted in 'phishing' scam
Lloyds TSB phishing scam nipped in the bud
Email fraudsters target Barclays
MS, eBay, Amazon et al join ID theft busters
Accused AOL phisher spammed the FBI
ID theft hits 10m Americans a year

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.