I read a lot of articles about phishing. People write and talk about how you can protect yourself, cite stats on the number of attacks per month, and the cost to the economy.
But I don't hear one really important question: Why does phishing exist?
One reason is that your bank, broker, and favorite online stores fail to use SSL throughout their site. If sites that hold my important data and have access to my money used SSL everywhere on their site, I'd be able to tell if I was at the right web site by looking at the lock icon. (And yes, phishers would move to SSL, but then we'd have a chance to catch them, and to improve the CA issuance processes as a bonus!)
Another reason phishing exists is that companies outsource their marketing to third parties. In doing so, major companies mimick all the major elements that point to phishing. They make it impossible for even a security-aware individual to tell phishiers from real companies. Again,
it's not that phishers are acting like real companies, it's that major companies are acting like phishers.
Here's a great example. I got an email today that claimed to be from the organizers of the RSA Security Conference. It wants me to sign up for an online class. That sounds fine, but look at the URL I'll go to when I visit the web site:
(Click to enlarge)
The URL that I'm about to click on looks like this:
https://rsasecurity1.rsc03.net/servlet/cc5?jkHQUYSUQUVI I've never heard of this rsc03.net before. It's certainly not the same as
rsasecurity.com. So can I trust it?
I clicked on the link, and was indeed brought to an SSL-enabled web site. The site then proceeded to ask me for lots of personal information. That's pretty suspicious.
Then I decided to look at other URLs in the email to see what I could find. Here's what the footer says:
RSA Security respects your online privacy. This email is being sent to people who've recently inquired about RSA Security products, services or events. You can view our e-mail policy here: http://www.rsasecurity.com/node.asp?id=2470
But when I click on the link, it takes me to
https://rsasecurity1.rsc03.net/servlet/c
c5?jkHQUYSUQUVIthj
It claims it will take me to a domain I trust (rsasecurity.com), but actually takes me to a domain I've never heard of before (rsc03.net). It
must be a phishing attack, right?
The sad thing is that I'm pretty sure this is a real email, and not a phishing scam. (The clumsy mail verification link at the top of the page gives me very little confidence.) But given all the clues to the contrary, it's a real gamble. Sadly, when companies start to act like phishers, they inadvertently train us to not look at the lock icon, to type our passwords into pages with no SSL, to not inspect the URLs we're about to visit. And when the organizers of the worlds biggest security conference make these mistakes, how can I reasonably hold my online bookseller to a higher standards?
I'm ready for a change.
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
boblord's journal
I am a curious person, so when I stumble across random person's LJ, I look at the profile and the userpics and take a peek at the journal entries themselves, also. Your journal seems to be about mostly technical, security-type stuff. I saw you had a tag for phishing, which is a topic of much interest to me because I have been phished. Fortunately it was only to a junk Yahoo email account and there would have been no way to get actual personal information from it. I am still trying to learn as much as possible about phishing and am grateful for your posts. :)