This Column Is a Fraud!

By Larry Seltzer  |  Posted 2006-09-21 Print this article Print

Opinion: A simple counter-attack may help sites defend against phishing attacks, but is it really a practical solution?

In August 2004 an innovative phishing attack was launched, not against the usual targets of PayPal and large banks, but against the Kerry for President campaign. The campaign fought back against it, also in an innovative way. Typical of phishing attacks, the e-mail and Web site linked directly to images on the Kerry campaign site It contained a picture of Kerrys brother Cam Kerry with an appeal for a contribution.

The original phishing e-mail had used a from: address of rather than—note the extra "s" in the name—which was probably of no value to the phisher and, as youll see, contributed to countermeasures. Ill leave out the other technical guts of the phish—suffice it to say, as you may have already guessed, the money didnt go to the campaign.

The campaign responded quickly though. Since the phishing e-mail directly linked to the image of Cam on the Kerry Web site, site admins replaced that image with one that contained the text "WARNING! If this e-mail is from any address that includes it is not an official e-mail from Kerry-Edwards 2004, Inc. Do not donate using any link in this e-mail."

This is what engineers call an "elegant" solution. A very simple change, using features designed into HTML, forced the attack to reveal itself. Users who opened the e-mail after the change saw clearly that something was wrong with it (unless they followed the common techie advice to turn off graphics in e-mail).

Symantec is launching the Symantec Phish Report Network. Click here to read more about this effort to help businesses and researchers.

Presumably the site controls its own access to these graphics and can then point users to a new, legit version. Note that the Kerry graphic message hedges its bets somewhat by saying not that the site is necessarily illegitimate, but that it is if the mail came from Ironically, this was probably an overly conservative approach by the campaign. But the basic approach should have worked.

Fast-forward two years, and this elegant approach is still unheard of in the face of phishing attacks. Then I read about a use of it in Brian Krebs Security Fix blog in the Washington Post.

Click here to read more about CipherTrusts

Krebs shows an attack against phishing punching bag e-gold. The company responded in the same way by changing their graphics to declare: "STOP - THIS IS A FAKE FRAUDULENT WEB SITE." Nothing ambiguous there. Anyone who still gets suckered by this site deserves what he gets.

I decided to ask PayPal, which has a near-monopoly on phishing victimhood, why it doesnt take this approach. But even before I got an answer I could see how difficult it could be.

First, there is the sheer scale and manageability of the problem. Doing this the conventional way with static images would require constant monitoring of phishing attacks and changing the images they use. On PayPals scale, this is a serious problem.

The obvious way around this problem is for images not to be static, but script-generated, where perhaps the script checks the address of the referring page. But once again the problem is scale, as this would entail an immense increase in processing load on PayPals servers. Doing it right means seriously limiting the caching of images.

There is also the problem of legitimate outside linkers. PayPal expressed concern about "the thousands of very small, legitimate businesses that sign up for PayPal every day and add our logo to their sites." Its possible to imagine ways to whitelist such sites, but the process sounds complicated, expensive and failure-prone.

For small sites, even for some not-so-small sites like the Kerry campaign and e-gold, perhaps image-swapping is a practical solution, but not for PayPal. Practical considerations mandate other solutions, none of which appears to be all that effective. This magic bullet missed the big target.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel