Spring brings eternal hope as the saying goes. It also continues to bring Phishing to an email near you. One thing we can say definitely about phishing is that it does not discriminate against any of the seasons; Spring, Summer, Fall and Winter are all desirable. Recently, one of my email addresses has been inundated with phishing emails. They range from re-setting my Facebook account; to shipping details and order tracking for the parcel I have apparently ordered to having to contact my ISP for tech support through a specific URL they provided. Now consider that if one has a Facebook account; they may think the email is legit. After all, Facebook seems to be changing things on a weekly basis and with that want to keep their millions of dedicated users up to date on the changes. 

Imagine an online world where dot EVERYTHING was possible. Now, everything to the right of the dot will no longer be limited to .com, .org, .edu , soon you will see new gTLDs that are dot EVERYTHING. Many financial institutions believe that by creating their own domain extensions for example, “.Barclays” , “.paypal “ or “.bank” can enhance security and customer trust thereby decreasing fraudulent websites.  No doubt, The Internet Corporation for Assigned Names and Numbers (ICANN’s) new gTLD program is going to change the internet landscape. The question that many internet security experts like myself are asking, is how will all this affect phishing and internet scams?  Phishing is one of the top online threats today and has been around for over a decade now. Why haven’t we been able to get rid of phishing sites for good? Cybercriminals continue to gain from phishing sites because it’s easy and simple to launch.  Every attack is built with end-users emotions in mind. The driving force of success of phishing sites are their social engineering components and manipulation of human emotion. Online users still click on malicious links, fall for scams and get drawn in by enticing phishing emails.  RSA’s 2012 statistics reveal 32, 581 attacks happen on average each month, which is a 19% increase globally compared to 2011.[1] According to APWG, financial companies are continually the most targeted industry. The idea behind the new gTLDs and having for example a .bank domain is to ensure online banking customers that they are on a legitimate banking site.

As an Incident Response Analyst, I am often asked the question “what is your average takedown time for phishing sites?” Here’s the truth, there is no “average” takedown time.  The lifetime of phishing sites vary greatly, each phishing attack has different characteristics, sources and potential impact. With that said, the concept of “average” takedown time can be very misleading.

These days, it’s tough to find someone who hasn’t at least been sent a phishing email, let alone responded to one.  Being the go-to computer guy in my family, I’ve had to deal with “can you just look at this email and tell me what you think?” or “Microsoft called me about my computer being hacked, can you come fix it?” on more than one occasion.  And it’s not just my grandparents that I’ve had to educate, but younger family members as well – to support this finding, Norton released their Cybercrime Report last week which showed that Millennials were more likely to fall victim to cybercrime than Baby Boomers.  To think, here I was worried about old dogs learning new tricks, when the new dogs were the ones that needed the most help.

Norton says that cybercrime cost $110 billion over the past 12 months – quite the lucrative venture, it seems, especially when you fail to see much in the way of prosecuting the offenders.  We’ll occasionally hear about some high-profile carder or malware author’s arrest, but it seems that owners of file-sharing companies are of greater importance to law enforcement.  Perhaps the banking associations need to hire the MPAA’s lobbyists.

Sports events are frequently used as social engineering lures for scams and the 2012 Olympic Games are no different. Over the past few months scammers have been rallying in an effort to steal as much money and information as possible from unsuspecting victims before the start of the 2012 Olympics.

I’ve been handling phishing takedowns for over 5 years now, and sat in on many client or prospect meetings.  The client meetings are often straightforward – review of the past year, recommendations for moving forward – and allow us to demonstrate to our clients just how effective we are at our jobs.  In the prospect meetings, we usually start by talking about the issues that the prospect is facing, but what I’m really interested in is hearing about the different strategies employed by companies to deal with online fraud – and some of these perspectives have really been surprising.

Most businesses today understand the need of having their own website, but most of those businesses don’t monitor their websites and even more don’t know how to react when their sites have been compromised.

March is Fraud Prevention Month. Whether it is identity theft, phishing, online shopping, social media scams, or credit/debit card fraud, there are always victims and unaware accomplices who fall pray to big international crime organizations. The goal of Fraud Prevention Month is to increase awareness and educate public and private companies to avoid the criminal’s attempts so they can do no harm.

Mashable.com has recently reported that Google, Yahoo, Microsoft and AOL have put their differences aside and come together to create DMARC.org – the Domain-based Message Authentication, Reporting & Conformance. It will provide consistent authentication results across their email services: Gmail, Hotmail, Yahoo Mail and AOL.