Phishing is getting tougher to spot

I don't know if cybercriminals are trying to boost their revenue streams for early Christmas shopping, but cyberbombs have been landing in e-mail in-boxes and flying onto smartphones via SMS lately.

Ironically, the scariest e-mail of all was recently received by a friend and it didn't come from a Romanian scam-artist or an AFF (Advance Fee Fraud) creep in Nigeria.

It came from his health insurance provider.

Innocuous email

This is a well known UK-based firm that has handled his health insurance (and processed his credit card payments) for almost a decade. He deals solely with his Hong Kong agent—a reputable insurance-broker that handles a number of insurance-providers.

My friend had never received an e-mail directly from the insurance firm, so he was surprised to find this message in his in-box. "Dear XXX," said the e-mail, misspelling his first name. So much for first-impressions. As they sell my friend an expensive annual policy covering emergency medical evacuation across the globe, you would think they'd have his name in their database.

The e-mail explained that when they'd tried to process his credit card, it had expired. This was true—my friend no longer uses that credit card. He forwarded the e-mail to me for my opinion.

A few thoughts, which I dashed off in a response to my friend: Attempting to process a payment on your card without your prior approval (which, if they attempted to run it on an expired card, clearly they did not have) is not good business practice. If they were selling Hello Kitty mobile phone cases, well, maybe not such a big deal. But you're trusting these people with your credit-card information AND your health insurance. Surely there's an expectation of better business practices.

Worse, they included this in the e-mail:

"Alternatively, you can pay online at our website http://www.HTTP.com/X/Y.php"

Take another look at that payment gateway URL. Notice the http address, rather than the https (including a Secure Socket Layer) that you would expect?

Alarm bells were ringing loudly by now, so I asked someone who's good at analyzing online security to check this URL. That person said: "That URL they gave you is fine. It redirects immediately to an SSL site, and the encryption on the SSL site is good."

"However, the SSL certificate on the site you are redirected to is highly suspect," cautioned the person I asked to check the URL. "Although this CLAIMS to be [firm name redacted], the site URL and SSL certificate are for 'secured-url.com'."

"The purpose of the SSL cert is mutual authentication," said my source. "So, while the "http://" is a red herring, I would still not put my card into this site because the certificate gives no information about, or confidence in, who owns the site."

"I could register '[bogus URL redacted]' and get a valid SSL certificate for it and then use it to pretend to be anybody," said my source. "It'd take about an hour and cost slightly less than US$40."

Knowing this source, while they have the knowledge, they would never do such a thing. They're pointing out what can be achieved through poor online security-practices.

Also, the firm in question is reputable. My friend has never experienced less-than-professional service from this health-insurance firm.

Caution recommended

The point: a professional firm can lapse into bad security-practices with ease. Simply fail to keep up with the cyberthreat-landscape and your entire customer-database can be at risk.

And what can happen then? How bad can it get? How about this:

Citigroup acknowledged that in a hack attack in May 2011, about US$2.7 million was stolen from about 3400 customers' credit card accounts—this article explains:

http://money.cnn.com/2011/06/27/technology/citi_credit_card/index.htm

In 2011, Sony said it believes an "unauthorized person" obtained access to all PlayStation Network account information and passwords, and may have the credit card numbers of the service's 70 million users—this article explains:

http://www.wired.com/gamelife/2011/04/playstation-network-hacked/

Sony's estimated loss from the security-intrusion: 14 billion yen (US$171 million) following the PlayStation Network outage—this article explains:

http://www.wired.com/gamelife/2011/05/sony-psn-hack-losses/

Sony has spent over US$170 million in response to the hacking intrusion. These funds went to rebuilding the network, providing identity protection coverage, investigating the attacks, free game time, and customer support—this article explains:

http://massively.joystiq.com/2011/05/23/sony-loses-3-2b-spends-170m-in-r...

Enterprises taking customer data, especially payment information, must harden their weak points. The potential consequences for them, and their customers, are dire.

Subscribe to the Security Watch Newsletter

Comments