Now anyone can become a target for phishing scams

Anybody who is concerned about computer security needs to look at a few basic issues first: perhaps they should start with their typing. In last week’s editorial column we drew attention to a web site that was set up to look like Symantec’s but offered a variety of services that certainly don’t fall under the heading of software security: weight loss, real estate, training and alcohol treatment, among them.

  • E-Mail
By  Peter Branton Published  October 30, 2005

|~|Commentbody.jpg|~|Any firm can be targeted by phishing incidents.|~|Anybody who is concerned about computer security needs to look at a few basic issues first: perhaps they should start with their typing. In last week’s editorial column we drew attention to a web site that was set up to look like Symantec’s but offered a variety of services that certainly don’t fall under the heading of software security: weight loss, real estate, training and alcohol treatment, among them. We had asked Symantec to come back with a response as to the site’s validity; sadly we went to press before that came back to us. We can now report that Symantec did indeed come back to us with a response, which we can now reproduce in full: “Symantec’s Brand Protection Task Force is aware of the situation and is taking appropriate investigative action. We’re not at liberty to discuss the specifics of the investigation or what it entails, but in the best interests of protecting our customers from fraudulent web sites such as this, we take these matters very seriously. Symantec’s Brand Protection Task Force is a team of former police investigators and lawyers established in March 2002 to combat attacks on Symantec’s brand via fraudulent web sites, pirated software, and phishing.” Surprisingly, the original URL we were concerned about is actually just one of a number we found that use miss-spellings of Symantec’s name: all of them reasonably easy to achieve if you are typing away quickly and are a little careless. (We stumbled across the first web site when we were doing research for another article about Symantec, finding the others was a simple matter of trial and error. Some didn’t work, others gave us fake sites with extremely strange content: portable air cleaners for home and office anyone?) The point of all this is not to bash Symantec, which is one of the most reputable firms in the IT industry, but to show just how literally any firm can be targeted by such incidents. Security guru Bruce Schneier has recently claimed that phishing (the practice of setting up such fake web sites and then sending out e-mails to draw people to them) would stop very quickly if the institutions affected were made directly responsible for the losses that people incurred as a result. “This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, or because California has new criminal penalties for phishing, or because ISPs will recognise and delete the e-mails. It will go away because the information a criminal can get from a phishing attack will not be enough to commit fraud because the companies won’t stand for all those losses,” he wrote in his online newsletter. The idea is superficially appealing: the most common target of phishing attacks are banks, as we highlighted a couple of weeks ago, and it is certainly true that if they were more directly financially penalised by such incidents they would do more to stop it. Banks have been far too complacent about the problem, we were disappointed by the response of a number of the regional banks that we contacted. Also, banks have the resources to deal with such incidents, which their customers may not have: a small amount for a bank may be beyond the means of all but its richest customers. However, we would argue that banks — and all institutions that are hit by phishing — already pay in one form or another. Finally, we would argue that forcing banks to pay out for phishing attacks would just see them pass the cost back to customers in other ways: ultimately we are all going to foot the bill for phishers so we all need to watch out for it. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code