Feeds

Governments' systems used to power phishing push

As US training firm aids penis pill purveyors

Next gen security for virtualised datacentres

Lax security controls are allowing conmen to host fraudulent websites on servers run by government organisations and private sector firms.

For example, Symantec has detected a number of phishing sites that have been hosted on government URLs over recent months. In June alone, fraudulent sites were identified on sites run by the governments of Thailand, Indonesia, Hungary, Bangladesh, Argentina, Sri Lanka, the Ukraine, China, Brazil, Bosnia and Herzegovina, Colombia, and Malaysia.

The quantity of phishing sites hosted on government systems flies in the face of the perceived wisdom that government systems are more secure. Systems are often compromised by hackers who gain access via a backdoor, a vulnerable Web interface, or some other means. Hosting bogus sites on government systems can have a number of benefits for phishers, Symantec notes.

"Hosting a phishing Web page on a government site has a number of advantages for a phisher. Government Web sites often receive a high volume of traffic, so their servers can handle the extra traffic generated by a phishing site," writes Symantec researcher Nick Sullivan. "This extra traffic might not be noticed immediately, giving the phishing site a longer lifespan before it is detected and shut down. Perhaps most importantly, hosting a phishing site on an actual government URL gives the phishing site a sense of authenticity that’s hard to beat."

Private sector firms are also contributing to the problem. US distance learning firm New Horizon, which really ought to know better since it provides security training, left spamvertised pharmacy sites running on its systems for over a week even after we first notified it of problems. The issue was brought to our attention by anti-spam activist Roman Hnatiw who says that such problems are commonplace. A screenshot of the offending website captured by El Reg before the problem was put right can be found here. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.