BOOKMARK
PRINTPhishing
Personalized Phishing
Thu, 12/31/2009 - 18:41 — Josh Bourne — PermalinkI hope everyone had a wonderful holiday! After time spent worrying about things such as finalizing plans and buying Christmas presents, it’s always good to finally get the chance to slow down and enjoy time with family. It was my baby girl’s first Christmas, so it was definitely a special one.
It doesn’t take long for things to pick up speed after the lull of Christmas Eve and Christmas Day. Many people probably spent the weekend after Christmas returning gifts or taking advantage of some post-holiday sales. Plenty more probably went online in search of deals, hopefully dodging spammers and phishers looking to get a cut of holiday spending.
I have noticed a concerning trend with the spam and phishing emails that make their way into my inbox. Almost every time I have received a scam bank email from spammers/phishers, they have been posing as a local bank that I could feasibly use or the bank at which I am a customer. In other words, I have never received a phishing email from a bank in another country.
This makes me wonder about two things. First, do Internet users in other countries experience the same patterns or do they also receive emails about banks in the U.S.? Second, I have to wonder how much phishers actually know about the people on their email lists. Some of the information contained in the emails is alarmingly specific – if the phisher actually knows where I bank, or at least enough about my habits or location to make a very accurate guess, then what else could they know about me?
At the heart of many phishing schemes is the pursuit of information: personal and financial details that phishers can exploit. A great deal of scam protection involves safeguarding this valuable information. One reason that phishers and other spammers know so much about the people on their lists is because some of their data comes by way of hackers who break into the systems of legitimate organizations and harvest the information that each of us knowingly provided to that organization.
So if phishers already know enough about us to engage in fairly sophisticated targeting and actually reach us, shouldn’t we be more concerned about how easily these phishers can maneuver their way into getting our information?
Will “Bank” Get Banned in .SE?
Wed, 10/14/2009 - 08:41 — Josh Bourne — PermalinkAccording to a recent article in Web Host Industry Review, the Swedish Bankers’ Association lobbied the Swedish Post and Telecom Agency (Post och Televerksstyrelsen) to prevent Internet users from registering domain names containing the word “bank” in the .SE ccTLD. The goal of the initiative was to allow only legitimate banks to register domains containing this term, which would cut down on fraud and illegal phishing attempts. According to this theory, consumers would know to trust only domains containing the word “bank” with their financial and account information, because only authorized banks will be able to own those domains.
The problem is that banning the term “bank,” or censoring the content of domain names in any way, simply will not work to prevent fraud. In fact, the initiative may backfire.
Phishing and other scams will still be able to easily take advantage of Internet users through the use of tactics such as spoofing emails from domain names, whether or not they contain words such as “bank.” At the same time, because of the initiative, people may be less diligent about keeping an eye out for potential scams—customers will be operating under the assumption that any correspondence or interaction with a domain name containing “bank” is safe. Cybercriminals are always adapting to new obstacles in the domain name space and it is overly simplistic to think this measure will protect Internet users’ financial information.
