Phishing Defenses are Pharcical

I have just been attacked with a very sophisticated email phishing program purportedly representing SunTrust and then MBNA Bank Corporation. The attack was from Romania. The deviousness was aided and abated by Microsofts OutLook Express and Internet Explorer which allowed active popup components to close down all Close Windows and Close Dialog buttons. So users only choice to get rid of the phishing dialog would appear to be the Confirm button on the dialog – which, if pressed, may have sent back all sorts of info garnered from my workstation. I had to start task manager to kill the several Phishing attack processes. A later virus and then spyware scan found more suspect trojans. This was a very nasty attack.

NO Help from SunTrust or MBNA Bank Corporation

Even more disturbing was the lack of help from either financial institution used as a Phishing Front (SunTrust and MBNA Bank Corporation respectively) to report the incident to and/or get advice as to how to defend against it in the future. SunTrust had a “report the email fraud attempt” web page. But it was laughable. SunTrust required more detailed information than the phishers to report the crime. There was no simple address where I could dump all the info such as screen picture capures and related email files. But give SunTrust some credit – they did have an 800 number which was only available in the US. Finally I called their general 800 number – and was able to report the crime and get an email address, ecommerce.risk@suntrust.com to send the $Dump to. I also learned that this phishing attack had been encountered by many others and was about two weeks old.

If SunTrust was laughable, MBNA was despicable. Here is a company that makes the bulk of its money from Credit Cards and electronic commerce. You would expect that such a company would recognize the need to defend the security and integrity of its primary means of liveliehood. You would expect that they would have a sophisticated security and risk operation and its services would be posted on MBNAs website. Nope. No parties to report to. Just send us a snail mail. Because the nasty dialog was listed (c) MBNA Bank Corporation 2004 and the phishing attack was two weeks old, MBNA should have more than a general snail mail item. Nothing at all was to be found in the News and Press releases. And in fact there are absolutely no email addresses whatsoever. No place and nobody to report to. Not even the board of directors. Not good for a company so “committed” to eCommerce and automated financial transactions.

Not Much Help from Authorities

Since I could barely contact the two major financial institutions implicated in the phishing attack , maybe reporting the Internet phishing attack to the Federal authorities would help. No such luck. The RCMP (the Royal Canadiam Mounted Police that always get their man) did have an Internet crime web page. But it was pre-occupied with the Nigerian phako solicitations for money transfers and child porn. Everything else (and I am not kidding)was redirected towards the website www.thephonebusters.com. There was simply no place to report a Phishing or other general Internet fraud incident, except again by snail mail. The FBI was glad to take my info – oops I had to be from one of the 50 states – and again they asked for so much info it was intimidating. So much for the authorities. So criminals are flooding in and doing things cross borders (Spammers and phishers attack from outside the country) because they know that the authorities jurisdiction and interest in cases that cross borders falls off catastrophically. Criminals count on that.

WWW=Wild Wily Web

At the 4th year of the 21st century 60 going on 70 percent of eMails are spam or phishing expeditions. Ever more sophisticated spyware is flooding through on emails and virus drops. A friend lost her business to Denial of Service attacks. An informal poll in our VBA class identified Windows in particular and system software in general as being part of the problem … and many dreaded any proposed Microsoft solution as being Draconian opportunism (this correspondent was taken aback expecting a much more partisan and favorable to Microsoft sentiment). Viruses attack every computing device particularly connected/networked devices from handhelds through workstations to major servers. The Web , as it grows ever so vital and useful also is becoming ever more read-only. That is to say information-only uses through Google and the Search engines remain largely risk free; however transactional and especially eCommerce transactions including those done through eMail have become very much more vulnerable to hold up and attack.

And the response of the stakeholders has been astonishingly … uhhh not demur, more vacuous as if they were say saying, like the Vancome Lady on MAD/TV – lalalalalala I dont hear a thing lalalalalala I dont want to hear a thing lalalalalalalalalalalalalala ….. Look at the corporate response to serious phishing attacks. Look how the various law enfoircement agencies ARE NOT organizing for serious cross border Web crime. See the major ISVs ducking for EULA and licensing cover or maneveuring for proprietary competitive advantage. See the standards agencies with no financial muscle (why W3C were not given the rewards of domain licensing and it was spun off as a private venture money bags monopoly – this party will never understand)are powerless to patrol the Web lanes. With financial clout, the standards bodies could at least enforce their own rules and standards such that many current web attacks and spamming would be more difficult. But no.

I know every yen must have its yank back, its come uppance, its exploiters, its disease. I know the Web is brilliantly resilient and self-repairing. But be honest – did you expect such a pervasive wave of corruptors so quickly ? And such a vacuous or self-interested response from so many of the stakeholders ?

(c)JBSurveyer