That e-mail from the bank may not be what it seems, says Simon Moores, who wonders where the phishers will try next.
If you’re a little worried about eating Scottish salmon, then you’ve probably more reason to be concerned by another type of phishing which is on the increase, that of trying to hook bank account details from the unwary.
Last year there was a dramatic rise in the number of phishing attacks against banks, and it’s increasingly hard to find a financial institution that hasn’t been targeted at least once.
Phishing is an attempt to steal a user’s account information and this normally involves a redirection to a bogus website and, frequently, an attempt to install some kind of spyware or key logger on the victim’s personal computer
My own bank has even taken the sensible step of changing its security to incorporate drop-down dialogue boxes, so rather than typing in my favourite password, I have to select the letters, one by one, to defeat the risk of someone in Riga or Romania capturing my keystrokes.
Most of you reading this are sufficiently security savvy not to be deceived by most e-mail frauds. However, a well-publicised weakness in Microsoft’s Internet Explorer allows a fraudster, through URL encoding, to obscure the name of a bogus website and make it appear to be legitimate, that is unless you bother to take a good close look at the source code link, which very few people would think of doing.
This is, of course, URL spoofing, and this month’s attempt to deceive Citibank customers arrives with a beautifully crafted message in perfect business English and a credible URL.
The same attention to detail can be seen in the latest bogus Barclays e-mail, which asks, “As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below."
This resolves to http://www.newyersm.com:80/1,,logon,00.php but the phishers have encoded the e-mail in hexadecimal so that it appears as http://ibank.barclays.co.uk%01%01%01%01%01%01%......... and would deceive any but the most expert of suspicious customers.
It’s a huge problem and there’s no easy solution in sight. Regardless of assurances from his bank, the average person really can’t be sure that what he is reading in his inbox actually comes from his bank anymore. Even the expression, “Safe as the Bank of England” no longer applies following the well-publicised Bank of England e-mail scam just before Christmas.
I doubt it will be long before some bright criminal tries to URL spoof the Inland Revenue. I suspect that if people receive a convincing enough message from that quarter, particularly around the January tax deadline, many would do exactly as instructed and I am only surprised that it hasn’t been tried yet.
Welcome to 2004, the year of living dangerously.
What do you think?
Have you been caught by the phishers? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Setting the world to rights with the collected thoughts and opinions of leading industry analyst Dr Simon Moores of Zentelligence.
Acting globally, Zentelligence (Research) advises governments, suppliers, business and the media on the evolution, application and delivery of leading-edge technologies and specialises in the areas of eGovernment and information security.
For further information on Zentelligence and its research, presentation and analyst services visit www.zentelligence.com