The Critical 'I'

Read. React. Repeat.

Saturday, June 26, 2004

PHISHING, INFECTED WEBSITES, AND THE END OF ECOMMERCE
As if email phishing scams weren't enough to deal with, we now have to worry about legimate sites that get infected.
Thursday's Web site attack is a new direction for online criminals, said Dave Endler, director of digital vaccine for TippingPoint, an Internet security company based in Austin, Texas. "Instead of relying on the typical phishing e-mail scams to social engineer users into visiting malicious spoofed Web sites, these attackers actually went straight to the source and compromised known trusted Web sites in order to infect their visitors," he said.

Joe Stewart, senior security researcher for Chicago-based Internet security firm LURHQ, said that the programs installed on victims' computers were designed to wait until the user visited a Web site like Paypal or Ebay. If the program had worked correctly, people would have seen pop-up screens on their monitors asking them to enter their credit card numbers or other financial data.
It occurs to me that a popup-blocker would prevent this evil little stunt from working. I realize that most online users, reliant on Internet Explorer, are still working the Web without popup blocking; I wouldn't say they deserve to get burned because of that, but they really are asking for a miserable online experience. (Others would argue that using IE at all these days guarantees a miserable online experience.)
"Phishing has moved from an e-mail attack to one that's really being brought to the desktop," Stewart said.
And that's the most disheartening part about it. Email's already become a pain to manage, with spam regularly filling inboxes despite filters. How long before merely visiting websites becomes as much of a pain? I could see sites that don't require any sort of registration or input of personal data being immune to this. But for the Amazons, eBays and banking sites out there, we may be coming to a point where there's little confidence in being able to use them without fear.

Then what? Disposable credit card numbers? Retro-ing back to telephone and postal mail money exchanges? It seems foolish to think of that now, but if things get as bad as they have with spam, I wouldn't be surprised.