Phishing and Hacking go 2.0
Goldleaf Technologies, a unit of Goldleaf Financial Solutions, Inc. a provider of homepage services for financial institutions had one of its servers
Although Goldleaf and ElectroNet are generally characterizing the incidents as phishing scams there are some differences between a regular phishing scam and this security breach. Phishing normally entails the use of a spoofed or fake email that alleges to be from the bank when they're really from criminals that send emails. The email contains realistic looking URLs that are a really links to malicious web pages. In the both the ElectroNet and Goldleaf examples, the actual bank homepage is what's redirecting you to the malicious site which could only happen if the bank's site has been compromised. This means there has been a security breach at the website or the server hosting it, and this is more significant than just a phishing scam. The bad guys in this case have combined the two techniques to leverage the usefulness of both attacks.
John Quarterman, chief executive of Austin, Texas-based, InternetPerils Inc., which tracks Internet scams explained this new ploy this way. While the latest scam may not reap a lot of money from each bank, crooks can do well in the long term by hacking into a lot of little banks,
"If they do this successfully to a few hundred small banks scattered around the world, they can make enough money to retire and disappear," Quarterman said.
While it is commendable that Goldleaf and ElectroNet responded quickly to these incidents, the cover yourself technique they are employing of only using the word “redirect” instead of admitting there was a breach of security on their servers may not help consumers realize the danger that exist from the possibility of hacking websites and servers.
While private information wasn't stolen directly from the servers the trust relationship was exploited, which is harder for consumers to guard against when they went to the website themselves. Having ISP's and web hosts use language that confuses the issue does not help the consumer understand the nature of the crime and how best to protect themselves. It makes it seem that consumers have nothing to demand of their banks and other financial institutions in terms of the safeguards that they must first put in place on their online presence before the consumer should be willing to do business with any of these institutions and that isn't the case. There is more to be done or we are just seeing the tip of the iceberg in this latest hack and phish ploy.
Last modified June 01, 2006 03:19 PM