German finance ministry tags fraudsters’ phishing form
The German Ministry of Finance has applied some lateral thinking in order to warn potential victims of a new phishing campaign.
Fraudulent tax refund emails doing the rounds in Germany seek to con marks into handing over sensitive information in order to claim a tax refund. The scam email uses images pulled from the genuine German Ministry of Finance in order to lend authenticity to the scam.
In response, the ministry have changed the images, with tagged photos warning potential marks that something was amiss, a far more effective warning approach than the standard tactic of posting a warning notice on the site.
Local security firm G-Data parsed the ministry's tactics as "a clever initiative to spread a genuine warning within a fake data submission form", in an advisory containing screenshots and more detail on the scam on its site here.
Phishers might change tactics to avoid including images from sites they are attempting to impersonate if this sort of countermeasure takes off but that would make convincing scams more time-consuming and difficult to create, no bad thing in itself.
The German Ministry of Finance doesn't even handle tax refunds, the job of local tax offices in Germany. That and the poor grammar in the scam emails probably meant few locals would be taken in by the ruse. For those few that slipped through the net, the changes to the pictures made on its site by the German Ministry of Finance might have cut the number of victims even further. ®
In other words...
... they put in a bit of code to check the Referrer for each request and serve up a different image if it wasn't from within their own website.
Not hard and I've seen this used as far back as 1995 to ward off image thieves
The real question is: "why isn't it used routinely?"
Now scammer will have to host their own copies of the pics instead of directly linking to the original source.
Still a good idea to defuse the current wave of scam though. Looks like German gov IT are not as useless as in some other countries #cough#
And at least, that will cost the scammers more bandwidth, so a thumb up.
What i cant get is:
All i do is out the pointer over the "click here to enter details" and i can then see the real address which clearly isn't anything to do with tax etc.
Perhaps we should educate users into doing this rather than spending millions of pounds, euros, dollars etc on things like image poisoning. The scammers will adapt but they cant hide a genuine URL...