One of the most recent examples of why criminals still go "phishing":
The Australian Federal Police have visited
a number of Australian ISPs as part of an investigation into a phishing
scam targeting a US bank, a Canberra-based web-hosting provider has
revealed.
The internet provider's general manager, who asked not to be named, told The Australian
that he contacted the federal authorities after hackers took control of
two of the company's Linux servers and used them as part of a phishing
scam.
[...] Phishing scam operators send thousands
of spam emails purporting to be banks, hoping to lure unwitting
internet users to their mock online banking sites in the hope of
harvesting their login details.
The hosting provider's spokesman said that, in this instance, the phishing scam targeted Citibank customers. [...] "In this instance there were some 7000 emails sent out," the web-hosting provider's spokesman said.
"There were 900 people that had a look at the page and didn't
enter information and 38 people that were silly enough to enter their
details and have it sent off," he said.
In this case, the 38 victims sent their banking details to an email address in Romania, he said.
That's a good success rate. Cast out out 7,000 e-mails and reel in 38 victims.
This case demonstrates how truly difficult Internet crime is to stop. The crooks are obviously very tech-savvy, and search world-wide for ISPs whose security is vulnerable to attack. Many of these crooks are located in "kleptocracies" that used to be part of the Soviet Union. Apparently, law enforcement in such places is a bit lax, to put in generously. In this instance, the crooks struck from Romania against Australian ISPs, and the victims are customers of an American bank. They're "in and out" in a hurry.
While the ISP may blame "silly customers" for responding to bogus email messages from crooks, the fact that one-half of one percent of e-mail recipients might be "silly" should be expected. The "phising" email was obviously sufficiently plausible to induce 13% of the recipients to at least take a look at the bogus web site, but only 4% of those "lookers" took the bait. The more troublesome vulnerability is not human gullibility but the security holes in the ISP's defenses that allowed the take- over of their system to be used for this crime. The ISP's spokesperson admits this but does a bit of backing-and-filling:
"I'm not keen to advertise that the security on my gear was not up to scratch and allowed this to occur.
"I've now increased that security and loaded new versions of the programs that have these exploits.
"There is just so many hours in day and I can't be sitting on the machines 24 hours, seven days a week to be able to keep up with them."
My response is that if you're running an ISP, SOMEONE better be watching it 24/7/365. Someone other than crooks, that is.
Comments