Phishing Continues to Soar

Via OUT-Law and Future Identity

"The number of phishing attacks on online banking systems has risen by 26% in the first half of this year. Phishing is the technique that was used to uncover the tens of thousands of Hotmail, Google Mail and Yahoo! Mail passwords revealed this week.

Phishing is the practice of creating fake versions of websites and asking users to enter their login details. Those details are then stored so that they can be used on the real sites.

It was revealed last week that more than 10,000 users of Microsoft's Hotmail service had had their details harvested by phishing attacks. They were then published online. It emerged this week that a similar problem had emerged in relation to the details of users of other web mail services such as Google Mail and Yahoo! Mail."

Pangloss has long predicted that rises in phishing will inexorably lead to banks becoming more and more reluctant to pick up the can , and instead imposing fault based filters on recompense. Should regulation in this area more effective than the current Banking Code not be part of the general reconsideration right now of the duties as well as profits of banks? Hmm. It will be interetsing also to see what constraints the new Payments Directive imposes. AS Future Identity points out, banks gain at least as much from a working and trustworthy online banking system as they lose, given the rundown in high street banking services.

Public sector implications of phishing

It's funny how things creep up on you. A year ago e-government was still just another buzz word to me ; e-commerce yes; but do my public sector stuff online? Nah.

And yet in the laast couple of months. I have paid for my road tax online, ditto for my TV license, and having failed to make my self assessment deadline, will be (ahem) paying someone else to do it for me online. E-government really is here.

Whih means it will no doubt be only a matter of minutes before the phishers catch on and exploit it as mercilessly as they're currently playing the troubled banking sector and its conbused customers. Today I got yet another Lloyds TSB -etc phish and for some reason decided to investigate this one. It was surprisingly mote sophisticated than last time I looked. The usual ploy; a fake URL which magically trasnsported you to a site that was NOT Lloyds TSB.

It was in fact

http://www.lloydstsb.co.uk-pre.info

Quite clever that huh? The even vaguely clued up punter now knows to like for the right URL - and it has the co.uk part right. That intrigued me so i looked up whois and found this:

Front Page Information

Website Title:	Lloyds TSB - Logon
Title Relevancy	66%
Meta Description:	This is the Lloyds TSB logon page
Description Relevancy:	71% relevant.
AboutUs:	Wiki article on Uk-pre.info

So they've again anticipated the even vaguely clued up punter and poisoned the whois directory. Now that IS bad. The fake Wiki article link is also quite neat. I checked and it doesn't link to Wikipedia itself but an obviously f(ph) ishy advertising site. However i'm sure the next lot along will easily concoct a real Wiki article. After all it only has to stay up for a day or so...

All this makes it even clearer that expecting the consumer to spot a phish sit e is ever more unlikely. We need better anti phishing tools, better take down networks, more police/bank collaboration and better rules about phishing liability, and , as I've saiid before, soon.

Note: and the fake site is down - so that WAS take down within 12 hours or so..

Fun Times for Phishing

The credit crisis is doing interesting things to computer crime. One might have predicted that a background of banks crashing, closing access to depositors and being bailed out would be seventh heaven for phishing emails, with uses failing to distinguish real reassuring emails from fake ones in the confusion. And so it has transpired - with Chase, Wachovia and Bank of America among the most popular targets with scammers, according to the US's watchdog, the FTC.

But of course what are you phishing FOR? As credit dries up, the old standby of stealing personal id so as to apply for limitless amounts of credit loses its efficacy. Soon, the days of easy credit cards will be gone. So instead, phishing attacks have switched from ID theft to to faking credentials to allow withdrawals from existing accounts. This is interesting - surely such attacks should be more visible than plain old ID theft? Would this not be a good time to look at banking security and supervision with a view to automatedly spotting upsurges in microwithdrawals from multiple accounts?

The HL recently reiterated its call for banks to be legally held liable for phishing losses to bank accountholders. At the moment, despite the lack of mandatory control, banks usually, though not universally , pay up. As margins tighten and liquidity disappears, and as phishing attacks mount (already up 180% in the UK from January to June 08 compared to the same period in 2007, according to Apacs) it will grow ever more tempting for banks to find ways to get out of reimbursing phishing losses eg by claiming that users failed to take adequate security steps. Considering the imbalance in technical knowledge and control between banks and users, this must be resisted. Phishing liability needs to be put on a legal basis, and soon.