Subscribe
Sectors
Companies
About

Not taking the bait

Farzana Rasool and Jacob Nthoiwa
Johannesburg, 01 Apr 2010

How phishing works

* Planning - Phishers decide which business to target and determine how to get e-mail addresses for the customers of that business. They often use the same mass-mailing and address collection techniques as spammers.
* Set-up - Once they know which business to spoof and who their victims are, phishers create methods for delivering the message and collecting the data. Most often, this involves e-mail addresses and a Web page.
* Attack - This is the step people are most familiar with - the phisher sends a phony message that appears to be from a reputable source.
* Collection - Phishers record the information victims enter into Web pages or pop-up windows.
* Identity theft and fraud - The phishers use the information they've gathered to make illegal purchases or otherwise commit fraud. As many as a quarter of the victims never fully recover.
*Source: Information Week

New domain names could assist greatly to combat phishing scams if used in conjunction with ongoing security initiatives.

The Internet Corporation for Assigned Names and Numbers (ICANN) is considering several domain names for different industries that would result in high-security Web sites.

“The idea is that certain names that create the impression of association with a financial institution (for example .bank) would be required to be 'high-security zones'. This does not mean that ICANN will definitely set up a .bank GTLD [generic top level domain], but rather that, if there is interest from the banking community, they could set it up under certain key requirements of a 'high-security zone',” says director of the .za Domain Name Authority Mike Silber.

What's in a name?

This means only legitimate financial services providers could use the high-security zone, Silber explains. Phishers and other criminals would be prevented from registering names in that zone, and this would hopefully prevent them from creating the impression that they are somehow legitimate and thus able to dupe clients.

Various qualification criteria would differentiate an application to the high-security zone from the current GLTD application process, which consists of simply checking availability, filling in a Web form and paying the fee.

Because of strict application procedures, users would know for certain that they're on the right site when they see these domain names, according to Silber.

He adds that it is not a formalised process yet. “Changes are ongoing. Internationalised names are being tested right now in a fast track allocation process. Other changes will occur over the next several months, with new GTLDs expected to be open for application at some time in 2010 or 2011.”

He emphasises that this can help with phishing, but users still need to be aware. “Nothing is ever going to stop them. Phishing relies on human stupidity and gullibility, so the more it looks like something they expect, the more people fall for it.”

Chairman of the Information Security Group Africa Craig Rosewarn voices doubts about these proposed domain name changes assisting with the fight against phishing. “I can't see it helping with phishing. Criminals will still spoof or copy it, no matter which site it is. It will help marketing and branding efforts, but I don't see how it will help with phishing.”

Silber admits there hasn't been a very positive response to the proposed domain name changes when he spoke about it at various forums, but says this is because people do not yet understand it clearly.

“There is no immediate need for 'hype' around these high-security zones, as they are still in the planning phase and have not yet been implemented.”

Phishing on the rise

If domain name changes actually do help the situation, then quick action is needed on its rollout, since phishing seems to have been thriving in SA over the last few months.

South African Banking Risk Information Centre's (SABRIC) Commercial Crime Office GM Susan Potgieter says: “The number of sites that have been detected and closed by the banks have grown more than five times, when comparing the last six months to the same period the year before.”

Although SABRIC does not have any actual figures on how much phishing is costing SA, Rosewarn supplies an estimated amount.

“The 2009 UK Cybercrime report showed that £50 million was lost to phishing and over 40 000 phishing sites had been closed down. As an estimate, we can put down the South African figure at at least R50 million, not just in bank payouts, but in what people have lost as well.” He emphasises that this is not an accurate figure, but a calculation based on recent information.

Senior lecturer at Rhodes University's Department of Computer Science Barry Irwin notes the sophistication of phishing has also developed. “The quality of the sites themselves has also increased dramatically, with many actually warning of the dangers of phishing,” says Irwin.

Ongoing security initiatives

Rosewarn describes two forms of action, the proactive and the reactive. These two methods of action are echoed by SABRIC.

“The main thing they [banks] can do, from a proactive point of view, is around awareness,” says Rosewarn. He explains that they constantly need to remind customers that the bank won't ask for details via e-mail or e-mail link.

If customers just look closely enough, Silber adds, it is easy to tell whether or not the site is authentic. “They must always look for the little padlock, which is a nice signal of authenticity. Now banks also have green certificates on their sites that help with this.”

“From a reactive point of view, [the banks] use companies to take down these [fraudulent] sites, but often find that the criminals still have access to these sites or that they have several other sites,” says Rosewarn.

“The banks are working together with law enforcement agencies and other stakeholders to seek means of combating bank-related crime,” says Potgieter.

Share