Picture a situation where a customer gets tricked into authenticating at the wrong site of company XXX. Would they do business with company XXX after they get scammed, trojan-ized, and spammed to (virtual) death? I doubt so, and as we can also see in the results of a recently released survey on
whether or not customers would do business with retailers who exposed personal data - they'd rather dump them right away.
MarkMonitor just released their first
quarterly Brandjacking Index :
"
The Brandjacking Index investigates trends, including drilled-down analysis of how the most popular brands are abused online and the industries in which abuse is causing the most damage. The report examines the ever-adaptive tactics of brandjackers such as cybersquatting, false association, pay-per-click (PPC) fraud, domain kiting, objectionable content, unauthorized sales channels and phishing. The Brandjacking Index tracks the top 25 brands from the 2006 Top 100 Interbrand study plus additional Interbrand ranked companies for business segment analysis."
The old marketing rule that a dissatisfied customer will share the bad experience with at least five more fully applies here, and given he or she's an opinion leader in their circle - you've got a problem as it's your brand in the domain name. Therefore, despite the companies
developing a market segment for timely and reliably
shutting down phishing sites, the most obvious "cybersquatted" domains shouldn't even be allowed to get registered at the first place. But given the flexibility of registering a domain these days, from a company's perspective, cybersquatting's an uncontrollable external factor, and in order to protect their future flow of "soft dollars" efforts to monitor the domain space are highly advisable.
There're several key techniques you should keep in mind. Cybersquatting, vulnerabilities within the browser to spoof the status bar and make it look like the legitimate page, or a malware infected PC that's basically redirecting all the known E-banking sites to fake ones.
No anti virus, no Ebanking is highly advisable, yet not a solution to the problem, and E-banking site's compatibility with the most popular -- and targeted -- Internet Explorer browser ONLY, turn many precautions into a futile attempt to deal with the problem --
heading in the opposite direction. The question is, which technique is more effective at the end user's perspective, and how should the targeted organizations deal with this indirect form of attack on their brands, reputation and the rest of the "soft dollars" goodies such as favorable PR and stakeholder's comfortability? From another perspective, who's more irresponsible, the unaware end user, or banks whose
web application security ignorance make it easier for phishers to establish trust?
One solution to the problem is shortening the lifetime of such a domain to the minimum by tracking and shutting them down by using a commercial service like this
online trademark monitor, a screenshot of which you can see at the top of the post. Perhaps rather resources-consuming, but
educating your customers for their own safety in times when anyone can register a pay-pal-login.tld domain like through third-party registers,
is another way
to go. Did I mention that
anti-phishing toolbars are a free alternative in case common sense fails -- like it does?
Continue reading →
Following my previous post on OSINT Through Botnets, here's a company that's categorizing Fortune 500 companies whose networks are heavily polluted with malware infected hosts :
RSS Feed