Mink Machine

The modern plague of phishing

Once upon a time, the so-called Nigerian letters were adopted to online versions by devious spammers. They were basically email versions of advance fee frauds and I suppose that a few people fell for these traditional scams delivered by snail mail. Unfortunately the spammers have evolved along with the rest of the world. The vulnerable exploit has been changed from “common sense” to “advanced computer knowledge”.

Phishing and other fraud involving social engineering techniques has expanded a lot during the last years and it can be found in email, IM, blog comments and more. Anti-phishing filters are having a hard time to keep up with the attackers. There are often several clues which reveals the phishing attempt, such as spelling errors, IP address instead of host name and lack of personalization in the message.

However, modern malice such as IDN spoofing and cross-site scripting makes it hard for casual surfers to detect the phishing activity. Even Hanselman got phished (and immediately felt embarrassed). If even computer-savvy experts fall prey to this kind of scam, it’s definitely gotten bad. How can we as developers better protect the average web citizens?

Modern browsers such as Firefox 2, Opera and Internet Explorer 7 contains anti-phishing support by using blacklists of known phishing sites. Anti-phishing toolbars can help by displaying correct domain names. But technology can’t save people from themselves, which is one of the reasons why social engineering techniques are so devious and hard to counter. In the end, it often comes down to common sense:

Would you give your car key to someone in the street claiming to be a mechanic for free? Not likely.

Would you send your bank account number and pin code in plain text to someone on the internet claiming to be working for your bank? Apparently several people seem to think this is a great idea.

Software developers are putting in a lot of effort to get rid of the phishing threat, but that doesn’t justify anyone to shut off their brain entirely as soon as they connect to the web.

2 comments

  • avatar
    Mandus
    18 Jul, 2007

    I guess part of the problem is the general opinion that most stuff on the internet is/should be free. The free mechanic in real life is usually a good friend or relative, on the internet it could be the open source community giving you quality software for free, or some dubious company giving wanting to scan your computer for viruses and other stuff.
    That said, one of the e-mails regarding Nordea (Swedish bank facing a lot of problems with phising attacks) actually found it’s way into my inbox a while back. The grammar was quite bad, no signs of the letters åäö and a very unprofessional feel to the layout makes it hard to believe that any one would for that.
    But then again, you can find most of that if you ask for a flyer at your local pizza delivery. Even if I would be genuinly surprised if they asked me for my account name and password. ;)

  • avatar
    19 Jul, 2007

    Yeah, I’ve also got a few of the “Nordea” phising mails. They are hilarious! I especially enjoy the sender “Nordea fraudkampavdelningen”.
    I suppose the spammers would be more successful if they managed to translate it better and avoid dozens of spelling errors in a supposed letter from a large bank.

Write a comment

Your email address will not be published. Required fields are marked *

Reine

About

Reine is a web developer who enjoys caffeine-fueled urban traveling. More...

RSS @reinel Instagram