Friday 17 February 2006

What brand owners should do about phishing

If you're a bank, or other organization that's worried about having your brand spoofed in a phishing attack, first you need to detect the attacks, and then you need to act. Here are some of the things you can do:

  1. Receive complaints from consumers -- publish an email address for consumers to forward suspected phishing emails to. The abuse desk can reply to the consumer to confirm whether this was a legitimate message or a phishing attempt (e.g. spoof@paypal.com, internetsecurity@barclays.co.uk).
  2. Run spamtraps -- publish email addresses for the sole purpose of receiving spam. Scan the incoming spam for phishing attempts on your brand.
  3. Detect remote image loading -- scan your web server logs for the telltale signs of your images being displayed in web sites that don't belong to you.
  4. Takedown -- get the phishing web sites removed from the Internet. Work with:
    1. The ISP responsible for the email sender
    2. The hosting company hosting the phishing website
    3. The domain registrar responsible for a bogus copycat domain (e.g. paypalverify.com)
  5. Block -- inform consumer protection services to protect consumers while the sites are still available. For example:
    • Google's anti-phishing toolbar
    • Cloudmark's anti-fraud toolbar
    • Microsoft's anti-phishing protection in IE7
If you're worried about your brand's vulnerability to phishing, contact me. I can help.

4 comments:

Anonymous said...

Yes -- all valid points. A business needs to be vigilant in protecting its brand name, recognition and trust, but how far should they have to go?

I agree that having a special fraud reporting address is a good idea, but few organizations really know how to handle such reports once received. Most consumers don't know how to report scams, and often the fraud report addresses get flooded with false and off topic items. Such addresses become ineffective cost factors, and are often ignored.

I agree that companies should report phish attempts to the law and cooperate fully, but most police forces (at least here in the US) are ill-equipped to deal with web fraud, unless the case is big enough to interest the national forces (FBI, FTC, etc.).

If a business can support it, SPAM traps and active web scanning for redirects, unusual web activity, DNS/Domain registrations of similar corporate names, etc. are excellent ideas. If possible, they should join a trade group that can offer full time, professional web security. Top security firms should offer such services as part of standard security audit procedures.

But it's hard to fault businesses that don't have the resources or skill to do ALL the proactive things we'd like.

I do believe that every web user has to be an active, educated participant in the process who applies critical judgement to information coming via the web. Too many users fail to take responsibility for their own failures. Too often we users see abuses on the web, and fail to report or act on them.

What can we do to be aware of dangers and scams?

I want to suggest another tool now available. SiteAdvisor is a toolbar plugin offering more and better information than Google, Cloudmark or Netcraft.

SiteAdvisor released a beta version of their browser plug-in, which signals the relative safety of websites as you visit them, in December 2005.

When browsing, it automatically connects to a database maintained by SiteAdvisor and generates an easy to read Good/Bad indicator, alerting web surfers in real time if they are at a malicious site. It also does a quick check to determine if the site might be a potential phishing scam. For details, there is an info balloon or one click on the SiteAdvisor toolbar icon will open a page explaining the ranking and why you need to be cautious.

This plug-in promises to do more, by actively probing the web sites visited by the users to get a more detailed analysis, then logging the results in the master database. The more people use this tool, the larger the database grows. The developers use a weighted algorithm to rate sites on several key points, like download safety, pop-ups, spam generation and user evaluations. One criteria judges the site by searching websites LINKED to the primary target. The theory is, if a site is closely related to many "known bad" sites, it might be an extension of them. Good idea.

The tool also check-marks web search results on the common search engines, alerting you to Good/Bad sites BEFORE you jump to them from a search page. The Flash demo on the SiteAdvisor website clearly illustrates how this works, better than I can explain it.
See the SiteAdvisor.com website for details.

Web researcher Ben Edelman recently wrote about them in an evaluation of SiteAdvisor he did. I've echoed that support at KIPCUG.

You might want to add this to your list of useful browser tools.

TomS

Anonymous said...

regarding the address:
internetsecurity@barclays.co.uk

they have now pulled this link from their website and are bouncing all emails sent to that address.

that didn't last long did it ?
:-)

Anonymous said...

Why would anyone allow third party sites to embed their content at all? If the referrer isn't their web site or blank, it should return either a blank image or a warning about suspected phishing occurring.

Richi Jennings said...

Mike, some do, surprisingly few don't.

But what I was getting at is to watch the logs as a warning that phishers are trying to remote-load the images. This can give early warning of an attack.

Post a Comment