Thursday, November 20, 2008

Phishing web sites

I see many phishing emails because of my job.

The conventional wisdom seems to be to treat phishing email as if it were spam. Just add it to the SPAM filter and forget about it. I don't get it. Spam is a commercial nuisance, but phishing is a deliberate, blatant attempt to defraud people. Blocking subsequent emails won't keep people from falling victim to the emails that already made it through-- nor will it keep other people outside of my workplace from being victimized.

I believe phishing deserves a separate and greater response. This is why I use Phishtank (at home), and am so aggressive (on the job) about reporting phishing emails to the security departments of various organizations that fraudsters like to impersonate. I want to see these phishing sites taken offline; I want to see the perpetrators pursued and brought to justice when possible.

Although I feel sorry for the people who fall for these phishing scams, the people I feel even more sympathy for are the ones who are just trying to run a web site . . . and then discover that someone has violated their server security, and is using their platform on the Internet to rip off and hurt other people.

It goes something like this:

The would-be fraudster finds a web server that he or she can compromise. Maybe they were able to sniff an FTP userid/password over a network connection because it was passed in the clear, or maybe the password was easy to guess or derive because it wasn't a very strong password. The precise method of compromise isn't important, because there's more than one way it can be done. The important point is, they have gained illicit access to the web server-- so they create a fraudulent paypal/bank/IRS website and bury it deep inside a subfolder where no one ever looks, like an images folder. Then they send out emails to large numbers of people with links back to that fraudulent web site, and wait to see how many people take the bait and enter their account information. The person who owns/runs the website in most cases has no idea what is taking place under their noses.

I got to speak with such a person this morning. Nice woman-- runs a small web site for her small school. She teaches kids how to design web sites. She had a vague, conceptual understanding of what phishing was, but I'd be highly surprised if she's received any training on server security. Even if she had, it's unlikely her IT group has given her read access to her FTP logs or uses any encryption with their file transfer protocols. There isn't enough time, resources or skilled people available, and the priorities are always elsewhere.

But here's the thing, people. If everyone shrugs their shoulders and says, "This isn't my problem," then the same stupid cycle is going to keep being perpetuated. And one day, the person who gets fooled and taken for a ride will be you.

No comments: