Today, along with most people with email addresses, I received yet another phishing email. It wasn’t a particularly fancy looking email, and it was purportedly from a bank that I don’t even bank with. That’s reassuring in a way, because if I receive spookily targetted phishing emails, I will start to worry. A lot.

It makes me very angry that the banks of this world sit back and let this happen. For example, most of the content of this phishing site was linked directly from the real bank site. Why on earth do the bank sites not validate their referrers? The javascript and stylesheets were both links to the secure site that is actually run by the bank. The banks are making it easy.
Now, what I know and understand about computer security could be written on a whisker, but looking at my webserver logs, my javascript files and css files get called with a referrer of the page that requested them. Surely the banking server could do a simple ‘is this called by me’ thing before serving up the javascript etc?

Okay, so you can reauthor Javascript and CSS, but that involves more of an effort than simply linking them in. Plus, if you host your own javascript/css, you are no longer linking to a nice https site and getting the benefit of the padlock appearing on your own phishy site. Not that it is difficult for scammers to get a valid SSL cert these days..
There are probably darned good reasons why banks don’t do this - I admit I don’t know anything about security. But it angers me that these phishing sites are allowed to piggyback off genuine sites in order to steal money/information.

This particular site actually labels the images shown with the stolen customer details, so the bank will have an exact record in its server logs of the people that were scammed. Which just shows how confident the phishers are that the banks can do nothing to stop it.
It’s all very sophisticated, and all very scary. I feel genuinely sorry for the people that do fall for this evil trick, but hopefully there is enough publicity about Bad People, that even the terminally stupid might think twice before clicking on random links.

I shudder to think what this site would have done to my poor (Windows) computer, had I opened it in a web browser, instead of just inspecting the html - there were some Very Scary Things in it.

This entry was posted on Friday, April 14th, 2006 at 16:35 and is filed under doom, thoughts. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.