Original URL: http://www.theregister.co.uk/2003/10/30/gone_phishin/
Tactics to curtail email scams
Analysis It seems that you're nobody in UK banking unless your customers have been targeted in phishing scams.
In recent weeks customers of Barclays, Lloyds TSB, Nationwide, Halifax and Citibank have all been targeted with scam emails which attempt to trick unsuspecting punters into handing over sensitive account information to fraudulent sites.
The problem reaches new heights over the last week with scam emails, using almost the same text in each case, trying to hoodwink users into handing over sensitive details to fly-by-night fraudulent sites hosted in Russia. Some of these emails (which pose as security checks) targeted customers of organisations - such as Barclays and Lloyds TSB - that cropped up in previous phishing scams.
Typically these fraudulent emails (example here) are sent to numerous people using spamming software in the hope of reeling in a few victims. By blind chance, some of these emails reach customers of targeted organisations.
Cutting the phishing lines
Banks commonly advise their users to ignore the scam emails. But what else can be done?
Reg reader Brian Blackmore has a simple and elegant suggestion.
"With all these 'fake' bank sites, is it not about time that the banks introduce a user level way of us being sure that it is them," he writes.
"For example, in the NatWest website you have to tell them your date of birth plus a number, which uniquely identifies you, if after entering this the website could reply by telling you what your favourite band was, or some sort of similar unique but not non-security breaking information which would make you sure that it really was their website."
The true destination of scam email is commonly disguised by fraudsters by attempting to trick people into visiting sites with misleading urls of the form email@example.com. As explained here, the weird looking address takes of the fact that anything between "http://" and "@" is completely irrelevant.
The feature has legitimate users in authentication but Reg reader Steve Lloyd is amongst those who wonder if it is beginning to outlive its usefulness.
Lloyd writes: "Why on earth do web browsers continue to follow this rule when all it seems to do is make some unknowing individual's life a misery? Why can't a browser reject such addresses as improperly formed, or at least pop up a warning showing us where we're really about to be taken? At least that way people have a chance to see through the scam, and you never know, the scammers may just hang up their phishing lines!"
Or maybe the phishing lines of scammers should be cut.
Coding activists have developed a script that responds to phishing emails with realistic-looking junk. The idea is if fraudsters are swamped with useless information the scam will lose its effectiveness.
Vendor bandwagon picks up momentum
Security vendors are, needless to say, never slow in spotting on opportunity to promote ways in which their products/ services could help address topical problems. Here are some suggestions of this quarter.
This month anti-spam outfit Brightmail announced an anti-fraud service to protect companies and customers from online crime including 'brand spoofing' and 'phishing'. The idea is that by subscribing to the service, companies that become the subject of fraudulent emails will get early notification of fraudulent emails captured by the firms extensive probe network. Only subscribers of this service will receive such notification, Enrique Salem, Brightmail president and chief exec, told The Reg.
Comodo, the security firm best known as a supplier of digital certificates, is approaching the problem from a different angle.
The company has released a free tool, called Verification Engine, designed to verify website content and SSL connectivity whilst helping to identify fraudulent/spoofed websites. It's an interesting idea but not without its limitations: only IE is supported and only digital content signed by Comodo can be verified using the tool.
Whatever our reservations about the limitations of current anti-phishing technology, it's clear that email scams are a growing problem. It's certainly disruptive. Halifax made a decision to temporarily close its website and NatWest restricted third party payments from customer accounts after each was targeted in phishing scams.
Spam accounts for more than 50 per cent of all email messages sent over the Internet and is increasingly being used for criminal activity in the US and Europe, according to Brightmail.
Brightmail reckons that various forms of scams account for one in ten of the spam messages it blocked in August, with 17 per cent of these involving identity theft or phishing scams. Put another way: almost one in 50 emails is now taken up with attempted ID theft.
Brightmail's Enrique Salem guesstimates that scammers only need one in a million respondents to phishing emails to make the con worthwhile. Figures on respondents are notoriously hard to quantify but, quiet apart from the number of people ripped off, we need to be concerned about the damaging effects phishing scams can have in public confidence about ecommerce.
Anatomy of a scam
Following the increased prevalence of such scams over the last two months, the National Hi-Tech Crime Unit and leading banking associations APACS and the BBA earlier last week issued a checklist for UK consumers designed to help them protect themselves against Internet fraudsters.
The NHTCU warned last week that phishing (conning people into giving access details to online bank accounts) is only the first part of a two-stage scam.
The second phase of the scam involves trying to recruit British people with online accounts to act as agents to transfer money abroad. This is necessary because the fraudsters themselves are located outside Britain and therefore unable to transfer cash from their victims' accounts directly.
The NHCTU, in commons with security consultancy NTA Monitor and others, argue that user education is the necessary first step in reeling in phishing scams.
Financial institutions also have a role to play, according to Peter Dorrington, head of fraud solutions at SAS.
He advises business to routinely trawl the Internet for domain names similar to their own and to register all likely permeations of a domain name to ensure the fraudsters options are limited. (Not directly relevant with the latest scams but still good advice).
"Businesses can monitor all activity into call centres and web channels and proactively use technology as an early detection method to monitor for a sudden rise in activity being transferred out of accounts," he adds.
While we are on the role of banks in blocking phishing scams it would be rude not to refer to Halifax Bank's interesting decision to shut down its website for two days after its customers were targeted by phishing emails.
The recent Russian phishing scams load the real Barclays/Halifax/Nationwide etc. pages in one browser window along with a pop-up site from the fake site requesting account details.
Rather than closing down their entire ebanking operations - as Halifax did - we think Nationwide took the wiser course in putting up a warning to customers on the page from the legitimate site the fraudsters email loaded.
Many Reg readers have questioned how taking down its own site down prevented foolish Halifax users giving their banking details to the scammers. True, the scammers wouldn't be able to do anything with this information immediately, but what happens when the site is put back online again? Surely the main thing is to get fake sites removed as quickly as possible.
The issue of education and phishing scams extends beyond the public, it appears. ®
Halifax suspends e-banking site after phishing attack
Email scammers target Halifax, Nationwide, Citibank
UK banks and police proffer anti-phishing advice
NatWest customers targeted in 'phishing' scam
Lloyds TSB phishing scam nipped in the bud
Email fraudsters target Barclays
MS, eBay, Amazon et al join ID theft busters
Accused AOL phisher spammed the FBI
ID theft hits 10m Americans a year