Gone Phishing!

For the most part you can’t really blame the institutions that are targeted by phishing scams. The success of a phishing scam relies on their reputation as a credible and trustworthy company. It isn’t through any lax security or flaw on their part that users end up falling for phishing scams.

However, in most cases the company in question will accept the responsibility for money lost by their customers. Aside from the financial aspects the phishing scams also impact customer confusion and the number of calls and emails coming in to the customer service department as well as damaging the company’s otherwise stellar reputation. So, they have a vested interest in protecting their customers and their hard-earned reputations.

“Companies that are concerned about their customers being attacked with phishing scams should CLEARLY and frequently announce or publish their policy on customer communications. My satellite service provider, for example, sends out an Email saying "We will never contact you and ask you for credit card information or account information. If there is a problem with your account you can contact us via the support number listed on our website... etc." according to Marcus Ranum.

Ed Skoudis agrees with that and went into some further detail, defining the following five steps that companies can take to protect their customers and try to ensure they are not targeted by phishing scams:

1. Never EVER EVER send unsolicited e-mail to clients asking them for their userID and password, or having them login to the site. They should have a strict policy about this.

2. Educate your users about the policy above.

3. Make it easy for users to report phishing scams, and work diligently to get phishing sites shut off. Typically, you can work with the ISP that gives the phishing website Internet connectivity.

4. Keep your web application secure. We're starting to see Cross-Site Scripting attacks used in conjunction with phishing, so make sure your XSS defenses are sound.

5. A popular attack lately is to direct the user to a legit site, and then pop a frame up on top of that site that belongs to the phisher. Prevent phishers from popping frames up on top of your legit pages to fool users, by incorporating this script at the top of every page you serve:

   <script>if(frames){if(top.frames.length>0)
   top.location.href=self.location;}</script>

That wraps up this phishing expedition. Remember to follow these simple security steps and err on the side of caution and hopefully you won’t be the next “phish” on the hook.