Phishers finding new ways to con visitors to retail sites

Phishers finding new ways to con visitors to retail sites

Phishers and spammers are getting more creative in using copy and creatives hijacked from legitimate web sites, including online retail sites, to con consumers into divulging sensitive information such as account numbers, says Rick Buck, director of privacy and ISP relations at e-mail services provider eDialog Inc. "People are getting very creative about being tricky," he says.

The purloined material gives phishers' and spammers' e-mails the appearance of legitimacy, and many consumers respond thinking they're dealing with the actual retailer. That enables the crook to validate the e-mail address for use in a later scam or embed technology on the consumer's computer that captures keystrokes or other important data that can be used in identity theft or other types of fraud, Buck says.

One method used by crooks is to subscribe to a retailer's e-mail newsletter. "The first e-mail that comes to them has a whole bunch of important information for the phisher or spammer to use," he says. That includes all the content in the retailer's newsletter, commercials and advertising as well as legitimate header information, such as domain addresses.

"What will happen is you might get an e-mail that looks like it's coming from a major retailer because the actual technical message header looks like it comes from," Buck says. "But the advertising you see is for bootleg pharmaceuticals, bootleg or fake jewelry, body enlargement parts, or pump-and-dump schemes."

While there are no steps retailers can take to totally prevent this type of fraud, they can put a dent in it by authenticating with all the leading authentication technologies, such as Sender Policy Framework, or SPF; Sender ID Framework, or SIDF; and Domain Keys, Buck says.

"The good news is that if you're doing those things, then it becomes a lot more difficult for your brand to be successfully phished," Buck says. "The bad news is that there is no ubiquity on the receiver's side-the Inter service provider side-that they're actually looking for those things. If 100% of the ISPs were actually checking for authentication, things like this would fail the vast majority of the time."

Consumer education also can play a role in preventing these types of phishing and spam schemes, he says. Retailers can post on their sites information on what their customers should look for to determine whether an e-mail is legitimate. They also can refer consumers to their sites' privacy pages, where the retailers' domain names and IP addresses are listed.

While phishing and brand attacks are not yet having a large impact on retailers, they have the potential to create major problems, Buck says. "Retailers need to go that extra mile to make sure they're covering themselves," he says.

Internet Retailer - March 30, 2007