This morning I spotted an unusual phisher in my inbox, using "We've changed our privacy policy" as the lure. It came from a site I didn't immediately recognize, with a classic phisher call to action "Visit your profile page by logging into your account" and with displayed hyperlinks differing from the actual URLs. The alarm bells rang inside my little head, thinking that the phishers had found another cunning lure.
Except that on closer inspection, this one appeared to be a legitimate email, not a phisher after all. The company in question had changed its website privacy policy and was changing its branding to reflect its parent company, hence the change of URL.
I won't name and shame the specific company that sent the pseudo-phisher email to all its customers because doing so would not be helpful. Most of us will have seen many similar examples, including some from banks and other financial institutions and even (on several occasions that I know of) trade bodies representing information security professionals - organizations that really should know better.
A study by the University of Michigan into design flaws in online banking sites was widely reported last week, although it took some hunting to find the source. Analyzing Websites for User-Visible Security Design Flaws by Falk, Prakash and Borders reports that 76% of 214 US financial institution Web sites surveyed at the end of 2006 had at least one design flaw, such as embedding SSL login frames within non-SSL pages so the padlock icon is not displayed, and non-SSL-protected 'contact us' pages. The report provides some guidance on using wget to to identify flaws of this nature automatically - a simplistic technique. It's a shame they didn't cite any of Gary McGraw's excellent work in this area.
UMich dedicates a section of its website to phishing and other forms of identity misrepresentation and theft. UMich students have previously been targeted by phishers, at least once using the University of Michigan Credit Union as a lure.
Anyway, I didn't click any of the links in that pseudo-phishing email and encourage others to be equally as cautious with all emails.
Kind regards,
Gary
Gary Hinson
Passionate about security awareness
www.NoticeBored.com Creative awareness materials
www.ISO27001security.com ISO/IEC 27000 standards