Feeds

Gone Phishin'

Tactics to curtail email scams

  • alert
  • submit to reddit

3 Big data security analytics techniques

Analysis It seems that you're nobody in UK banking unless your customers have been targeted in phishing scams.

In recent weeks customers of Barclays, Lloyds TSB, Nationwide, Halifax and Citibank have all been targeted with scam emails which attempt to trick unsuspecting punters into handing over sensitive account information to fraudulent sites.

The problem reaches new heights over the last week with scam emails, using almost the same text in each case, trying to hoodwink users into handing over sensitive details to fly-by-night fraudulent sites hosted in Russia. Some of these emails (which pose as security checks) targeted customers of organisations - such as Barclays and Lloyds TSB - that cropped up in previous phishing scams.

Typically these fraudulent emails (example here) are sent to numerous people using spamming software in the hope of reeling in a few victims. By blind chance, some of these emails reach customers of targeted organisations.

Cutting the phishing lines

Banks commonly advise their users to ignore the scam emails. But what else can be done?

Reg reader Brian Blackmore has a simple and elegant suggestion.

"With all these 'fake' bank sites, is it not about time that the banks introduce a user level way of us being sure that it is them," he writes.

"For example, in the NatWest website you have to tell them your date of birth plus a number, which uniquely identifies you, if after entering this the website could reply by telling you what your favourite band was, or some sort of similar unique but not non-security breaking information which would make you sure that it really was their website."

The true destination of scam email is commonly disguised by fraudsters by attempting to trick people into visiting sites with misleading urls of the form www.highstbank.co.uk@fraudsterscrooks.ru. As explained here, the weird looking address takes of the fact that anything between "http://" and "@" is completely irrelevant.

The feature has legitimate users in authentication but Reg reader Steve Lloyd is amongst those who wonder if it is beginning to outlive its usefulness.

Lloyd writes: "Why on earth do web browsers continue to follow this rule when all it seems to do is make some unknowing individual's life a misery? Why can't a browser reject such addresses as improperly formed, or at least pop up a warning showing us where we're really about to be taken? At least that way people have a chance to see through the scam, and you never know, the scammers may just hang up their phishing lines!"

Or maybe the phishing lines of scammers should be cut.

Coding activists have developed a script that responds to phishing emails with realistic-looking junk. The idea is if fraudsters are swamped with useless information the scam will lose its effectiveness.

Vendor bandwagon picks up momentum

Security vendors are, needless to say, never slow in spotting on opportunity to promote ways in which their products/ services could help address topical problems. Here are some suggestions of this quarter.

This month anti-spam outfit Brightmail announced an anti-fraud service to protect companies and customers from online crime including 'brand spoofing' and 'phishing'. The idea is that by subscribing to the service, companies that become the subject of fraudulent emails will get early notification of fraudulent emails captured by the firms extensive probe network. Only subscribers of this service will receive such notification, Enrique Salem, Brightmail president and chief exec, told The Reg.

Comodo, the security firm best known as a supplier of digital certificates, is approaching the problem from a different angle.

The company has released a free tool, called Verification Engine, designed to verify website content and SSL connectivity whilst helping to identify fraudulent/spoofed websites. It's an interesting idea but not without its limitations: only IE is supported and only digital content signed by Comodo can be verified using the tool.

Whatever our reservations about the limitations of current anti-phishing technology, it's clear that email scams are a growing problem. It's certainly disruptive. Halifax made a decision to temporarily close its website and NatWest restricted third party payments from customer accounts after each was targeted in phishing scams.

Spam accounts for more than 50 per cent of all email messages sent over the Internet and is increasingly being used for criminal activity in the US and Europe, according to Brightmail.

Brightmail reckons that various forms of scams account for one in ten of the spam messages it blocked in August, with 17 per cent of these involving identity theft or phishing scams. Put another way: almost one in 50 emails is now taken up with attempted ID theft.

Brightmail's Enrique Salem guesstimates that scammers only need one in a million respondents to phishing emails to make the con worthwhile. Figures on respondents are notoriously hard to quantify but, quiet apart from the number of people ripped off, we need to be concerned about the damaging effects phishing scams can have in public confidence about ecommerce.

Anatomy of a scam

Following the increased prevalence of such scams over the last two months, the National Hi-Tech Crime Unit and leading banking associations APACS and the BBA earlier last week issued a checklist for UK consumers designed to help them protect themselves against Internet fraudsters.

The NHTCU warned last week that phishing (conning people into giving access details to online bank accounts) is only the first part of a two-stage scam.

The second phase of the scam involves trying to recruit British people with online accounts to act as agents to transfer money abroad. This is necessary because the fraudsters themselves are located outside Britain and therefore unable to transfer cash from their victims' accounts directly.

The NHCTU, in commons with security consultancy NTA Monitor and others, argue that user education is the necessary first step in reeling in phishing scams.

Financial institutions also have a role to play, according to Peter Dorrington, head of fraud solutions at SAS.

He advises business to routinely trawl the Internet for domain names similar to their own and to register all likely permeations of a domain name to ensure the fraudsters options are limited. (Not directly relevant with the latest scams but still good advice).

"Businesses can monitor all activity into call centres and web channels and proactively use technology as an early detection method to monitor for a sudden rise in activity being transferred out of accounts," he adds.

While we are on the role of banks in blocking phishing scams it would be rude not to refer to Halifax Bank's interesting decision to shut down its website for two days after its customers were targeted by phishing emails.

The recent Russian phishing scams load the real Barclays/Halifax/Nationwide etc. pages in one browser window along with a pop-up site from the fake site requesting account details.

Rather than closing down their entire ebanking operations - as Halifax did - we think Nationwide took the wiser course in putting up a warning to customers on the page from the legitimate site the fraudsters email loaded.

Many Reg readers have questioned how taking down its own site down prevented foolish Halifax users giving their banking details to the scammers. True, the scammers wouldn't be able to do anything with this information immediately, but what happens when the site is put back online again? Surely the main thing is to get fake sites removed as quickly as possible.

The issue of education and phishing scams extends beyond the public, it appears. ®

Related Stories

Halifax suspends e-banking site after phishing attack
Email scammers target Halifax, Nationwide, Citibank
UK banks and police proffer anti-phishing advice
NatWest customers targeted in 'phishing' scam
Lloyds TSB phishing scam nipped in the bud
Email fraudsters target Barclays
MS, eBay, Amazon et al join ID theft busters
Accused AOL phisher spammed the FBI
ID theft hits 10m Americans a year

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.