Yesterday Microsoft announced that it was taking legal action in 104 cases against phishers, those clever criminals that put up fake banking and ecommerce sites and try to get you to reveal your username/password to them. While I applaud any effort to prosecute these cyberjerks I am tempted to ask: “Why?” I can see why Microsoft prosecutes virus writers, they are damaging Microsoft’s reputation. But of all security problems is phishing one that Microsoft is responsible for?
Is it an IIS (Internet Information Server) issue? Is Microsoft interested in protection the reputation of their web server? In my experience most of the phishing sites I have investigated are not running Windows and the phisher often installs his own web server software anyway.
The best explanation I can come up with is that Microsoft is demonstrating that they want to make the Internet a safe place to conduct commerce. I am all for that.
But let’s think about the phishing problem. Financial institutions, ecommerce sites, and subscription services in the
First there is password guessing. Someone who knows the victim, a spouse or roommate, may be able to guess the password. In some cases it can be trivially easy. Try “password” or “RedWings” if you are in
Keystroke loggers were the next innovation is identity theft. I first encountered these being used in
And thirdly phishing attacks use elaborate social engineering to induce you to hand over your credentials to the phisher. Just quickly dipping into my spam folder to bring up an example I found this Chase JPMorgan phishing site. I am going to give the URL here so you can see a pretty good phishing site. Do I have to tell you *not* to input your information? http://elektrocejka.cz/chaseonline.chase.com/login/index.htm
See the original email that delivered this phishing attack here. http://blogs.zdnet.com/threatchaos/?page_id=296
According to the Anti-Phishing Working Group the average life span of a phishing site is 5 days so this link may not work for long.
So back to Microsoft and their efforts to do something about phishing. I am a proponent of using technology to counter attacks. I believe it is Chase’s responsibility to protect their users. Strong authentication measures are available and as I pointed out recently they even *increase* business for a financial institution by increasing trust.
Cyota(now RSA) offers businesses a behavior based method of detecting when they are undergoing a phishing attack and blocking fraudulent transactions.
A company called Cyveillance just announced an
My point is there are technological solutions to phishing. And while prosecuting criminals is great and Microsoft gets credit for undertaking that task, others, banks in particular, should be deploying more immediate defenses.