A service designed to trawl for fraudulent web sites before they can be used to trick people into handing over financial information has been launched.
Financial fraud involving fake web sites has become common over the past year – a practice dubbed “phishing“. Victims typically receive an email telling them they must enter their banking information using a web link included in the message. This connects to a fake site designed to mimic that of a real bank. The site’s domain name will often include the bank’s name in order to appear genuine.
Some anti-virus companies already offer to identify phishing emails once they arrive in an inbox. But UK company Netcraft believes it could spot potentially dubious sites before this can happen.
Netcraft already provides statistics to the industry on the software and hardware used to host different web sites. As part of its data collection, the company monitors the internet’s domain name system (DNS), a distributed record of all registered site names. Netcraft also keeps a copy of the front page of every unique site it can find, about 20 million in total.
Advertisement
Once a company signs up for the new anti-fraud service, Netcraft will scour its copies of the internet’s DNS records for suspicious entries containing their name. This could be in the domain name itself, for example http://www.bankofengland1.co.uk or in a sub-domain, like http://bankofengland.bankingservices.co.uk.
Customer feedback
As part of the same service, Netcraft will search through the front pages it has collected for any suspicious uses of a company’s name. And the company will also search through all spam that it catches for possible phishing stings.
“It gives you the opportunity to try to pre-empt attacks,” Netcraft director Mike Prettejohn told New Scientist. He says that the service will cost on average about £10,000, but adds “the cost will vary according to the service a customer wants”.
“I think it’s a great idea,” says Chris Wysopal, vice president of research for US computer security firm @tStake. “What you need to do is detect this and shut it down as quickly as possible.”
Wysopal adds that most efforts to stop phishing have been less pre-emptive. “Most banks are relying on the customers to inform them when they get an email linking to a dubious site,” he says.
In October 2003 a number of UK banks were targeted by phishing fraud. Some were even forced to take their real web sites down temporarily.
More recently, in December, the Bank of England was the target of another email scam. This did not involve a bogus web site. Instead, victims were told to run an attached program. Experts suspect this could give an outsider control over the target’s computer.
