Give Microsoft an 'A' for effort

 

Yesterday Microsoft announced that it was taking legal action in 104 cases against phishers, those clever criminals that put up fake banking and ecommerce sites and try to get you to reveal your username/password to them.  While I applaud any effort to prosecute these cyberjerks I am tempted to ask: “Why?”  I can see why Microsoft prosecutes virus writers, they are damaging Microsoft’s reputation. But of all security problems is phishing one that Microsoft is responsible for?

 

Is it an IIS (Internet Information Server) issue? Is Microsoft interested in protection the reputation of their web server? In my experience most of the phishing sites I have investigated are not running Windows and the phisher often installs his own web server software anyway.

 

The best explanation I can come up with is that Microsoft is demonstrating that they want to make the Internet a safe place to conduct commerce. I am all for that.

 

But let’s think about the phishing problem. Financial institutions, ecommerce sites, and subscription services in the US and a few other countries have long relied on simple username password pairs. There have been three major means of attack against these sites.

 

First there is password guessing.  Someone who knows the victim, a spouse or roommate, may be able to guess the password. In some cases it can be trivially easy. Try “password” or “RedWings” if you are in Detroit.  Spammers were the first to abuse simple authentication schemes when they attacked Yahoo! and MSN and AOL with automated password guessers. That gave us today’s defenses that display a squiggly word for you to type in to thwart such automated attacks.

 

Keystroke loggers were the next innovation is identity theft.  I first encountered these being used in Istanbul’s Internet cafes. 

 

And thirdly phishing attacks use elaborate social engineering to induce you to hand over your credentials to the phisher.  Just quickly dipping into my spam folder to bring up an example I found this Chase JPMorgan phishing site.  I am going to give the URL here so you can see a pretty good phishing site. Do I have to tell you *not* to input your information? http://elektrocejka.cz/chaseonline.chase.com/login/index.htm 

 

See the original email that delivered this phishing attack here. http://blogs.zdnet.com/threatchaos/?page_id=296

 

According to the Anti-Phishing Working Group the average life span of a phishing site is 5 days so this link may not work for long.

 

So back to Microsoft and their efforts to do something about phishing. I am a proponent of using technology to counter attacks.  I believe it is Chase’s responsibility to protect their users. Strong authentication measures are available and as I pointed out recently they even *increase* business for a financial institution by increasing trust. 

 

Cyota(now RSA) offers businesses a behavior based method of detecting when they are undergoing a phishing attack and blocking fraudulent transactions.

 

A company called Cyveillance just announced an SLA (Service Level Agreement) for their customers that claims they will discover and take down a phishing site in 5 hours. And Digital Defense is working with Netcraft to offer phishing “counter measures.”

 

My point is there are technological solutions to phishing.  And while prosecuting criminals is great and Microsoft gets credit for undertaking that task, others, banks in particular, should be deploying more immediate defenses.