Exactly who’s gone phishing??

I AM BAFFLED by the fact that giant software publishers have not addressed phishing any sooner or any better.

First, let’s take a few steps back and consider (or recall) what phishing is.

Let’s pick a Malicious Internet Villain to whom we’ll refer to as MIV.

  • MIV wakes up one morning and decides to rob money from internet users. First, MIV sets up a web site that replicates that of a well-known financial institution. His fake web site, like the real one, will ask people for their username and password to log on. But instead of allowing users to access their real accounts, which it cannot do, it will simply record the username and password, and then display some random error message saying that the web site is currently undergoing some changes to make it more impressive.
  • Then he writes an e-mail and sends it to random people, telling them to log on to their financial institution’s web site and check their new bill. The email contains a link to MIV’s fake web site, displaying the address of the real web site of the financial institution. The link will display as “www.my_financial_institution.com” but, when clicked on, will actually go to “www.my_financial_instition.com” (notice the “instition” instead of “institution”) – the fake web site. The link is dead simple to create, by the way. Here it is: https://www.my_financial_institution.com.

Let’s now pick an Innocent Rich Victim, IRV.

  • IRV gets back from work after a long day, sits down at her computer to read her personal email, and stumbles upon MIV’s email. In an unstoppable urge to pay her bills, IRV clicks on the handy link. She does not think twice when her browser displays her well known financial institution’s web site, and enters her username and password. Then she sees the error page and goes back to read her other emails.
  • In the meantime, her username and password have been recorded in MIV’s database. MIV smirks, logs on to IRV’s account, smiles in delight at the size of IRV’s balance, transfers everything to his offshore account, and books a flight to the moon for his neighbor’s noisy cat.

Even if you are not a software engineer, you can see that it would not be very complicated for IRV’s email software to scan email and see that a displayed address (the good one for the financial institution) does not match the actual link (the one to the fake web site). The software could then either block the link or alert the user.

Of course, what I presented was a simple scenario. “Phishers” use somewhat more complex techniques to trick even more advanced users. But what I described can still be used today and there are still no fixes in widely used email software. Since we get Microsoft updates every week or so, how come this little change has still not made it into Outlook yet? Or in omnipresent web mail such as gmail or yahoo!?

Exactly who’s gone phishing?


About this entry