How to Boot Cybersquatters
The Solution: Protect Your Brand Name and All Variations
Banks and credit union customers are at risk of falling victim to the classic-and-growing Internet scam known as cybersquatting.
Cybersquatters are entities that create Web addresses remarkably similar to addresses for well-known companies, institutions or products. For example, known cybersquatting Web sites include dellcomputersystem.com instead of dell.com, and samslcub.com instead of the correctly spelled samsclub.com, or vvachovia.com instead of Wachovia.com.
The aim of a cybersquatter is to take away internet traffic from legitimate sites and bring them to the fake site -- and make money by either selling the unsuspecting victim something (and also possibly stealing their credit card or bank account information) or by filling the site with pay-per-click advertisements.
While most of the time cybersquatters target the big-name corporations and banks, the smaller your institution is, the more you’re liable to lose in terms of your financial holdings and brand reputation.
"Cybersquatters are getting more sophisticated as they are trying to take advantage of consumers," says Alan Drewsen, executive director of the International Trademark Association (INTA). "As the number of domains increase, it just increases the possibility of this fraudulent behavior."
The "sophisticated" tactics include cybersquatter-controlled sites designed to look like bank Web sites that trick consumers into revealing sensitive personal information, as well as phishing, the use of fraudulent e-mails to bring traffic to those fake sites. Noted information security and phishing expert Dr. Markus Jakobsson of Indiana University has studied several cases of this sophisticated cybersquatting over the past several months. Hed says that even larger entities have to pay attention to this problem and the ways phishers could usurp an institution’s brand.
To bring the problem of cybersquatting to light, five Fortune 500 companies and INTA members, including Microsoft Corp., Dell Inc., Time Warner Inc., Wal-Mart Stores Inc. and Yahoo! Inc., filed legal actions in September against a total of 22 cybersquatting operations.
Cybersquatters target consumers and business alike. Some key facts:
- Disputes relating to cybersquatting increased by 25% over the last year, According to the World Intellectual Property Organization (WIPO).
- A recent poll by Harris Interactive reported that 30% of respondents are limiting online transactions, and 24% are limiting online banking due to potential fraud.
- According to Gartner, Inc., the average phishing victim was defrauded US $1,244 in 2006.
Register More Than Your Domain
Most institutions, when they began their foray into online banking and establishing an Internet presence, bought the institution’s domain name. Bank domains such as Chase, Citibank, Washington Mutual, all were quickly acquired by the respective institutions, Jakobsson notes.
When phishing became prevalent, he says that certain institutions became wiser and purchased the domains that were plausible for their customers to believe were legitimate.
“A bank like Chase really needs to register chase-alerts.com, and alerts-chase.com, and they own these two domains,” he says. “Because if they don’t, these domains will seem incredibly plausible to a user who receives an e-mail appearing to come from Chase, and having these links embedded.”
For example, he adds “Assume that Chase did not own these, and I want to register them and I was a phisher, then I could send you an e-mail that would seem incredibly plausible to you, and ask you to follow these links. As you arrive at the target, of course, it would look like a Chase banking site. And so, this is about the features of the financial institutions.”
Consider All Angles
Institutions should also consider advertisements of new services as an attack angle phishers will target. One advertisement Jakobsson theorizes could be mounted by phishers might say, “Look, we at Citibank are very proud of our new services, and we know you’re not banking with us, but we would like you to switch. If you switch today, we will match what you put into your account up to the first hundred dollars. And, in order to transfer money, you can follow this link, and just take it directly from you bank.”
And this way, of course, what the phisher does is achieve two goals. “First, he doesn’t need to target Citibank customers. Normally, the phisher has to know who they are targeting, or just be lucky, but here they are targeting everybody, except those who are with Citibank. So they get a much larger portion of the recipients who find it plausible. And second, they, of course, get the account number, or other information that allows them to take money out of the existing account. They’re not trying to establish an account with Citibank, and they’re not worried about credentials that the user gives in order to establish this account. What they want are the credentials on the account from which the user, supposedly, would transfer the funds.”
He continues with his cautionary tale: “Some time ago, Bank One was acquired by Chase. And this became a very vulnerable time to clients of Bank One, because they weren’t quite aware of what Chase looked like, and what the form of logging into Chase was. They weren’t so sure about the URLs and all other aspects of online banking, either.
So, what if a phisher would register a domain like bankonebecomeschase.com? Most people would find that plausible. “Then you take advantage of the fact that people are vulnerable, at the same time as you have an opening to use a new domain name that wasn’t very meaningful before,” Jakobbson says. Another thing that you could do is, if you are a bank, apart from registering these in advance, look at attacks that are occurring and targeting other financial institutions.
For example, there was an attack that many refer to as the Chase Rewards attack in 2006, in which a lot of people got e-mails, saying “Dear Chase customer, we would like to know how you like our services, and please fill this survey, and you’ll get $20 for the effort,” and then it was increased to $50, and yet later to $100.
“If the user took time to answer the survey, which was not of any interest at all to the phisher, they would get this reward,” Jakobbson says. “Of course, the way in which they would get the reward would be to log in. So, this was just a psychologically complicated way of getting to the user credentials.”
Now, what happened was that phishers realized that this was rather successful, but that there were other banks, as well, that they could target.
“Some months later, it started on Washington Mutual. Now, as soon as that happened, I went out and registered wamu-rewards.com. This is something Washington Mutual should have done. They should have done it the moment they saw the Chase attacks, many of which were performed using domains like chaserewards, or similar. They should have taken every domain in which they saw in the Chase attacks, and they should have registered the same domain, principally stopping the attacker from using those, if they were to turn to Washington Mutual,” he concludes. [Editor’s note: Jakobsson was able to successfully transfer those domain names he purchased under WaMu to the proper department at Washington Mutual.]