Posts Tagged 'phishing'

scamming the search engines

Even search engines can get suckered by Internet scams.

With a little sleight of hand, con artists can dupe them into giving top billing to fraudulent Web sites that prey on consumers, making unwitting accomplices of companies such as Google, Yahoo and Microsoft.

Online charlatans typically try to lure people into giving away their personal or financial information by posing as legitimate companies in “phishing” e-mails or through messages in forums such as Twitter and Facebook. But a new study by security researcher Jim Stickley shows how search engines also can turn into funnels for shady schemes.

Stickley created a Web site purporting to belong to the Credit Union of Southern California, a real business that agreed to be part of the experiment. He then used his knowledge of how search engines rank Web sites to achieve something that shocked him: His phony site got a No. 2 ranking on Yahoo Inc.’s search engine and landed in the top slot on Microsoft Corp.’s Bing, ahead of even the credit union’s real site.

Google Inc., which handles two-thirds of U.S. search requests, didn’t fall into Stickley’s trap. His fake site never got higher than Google’s sixth page of results, too far back to be seen by most people. The company also places a warning alongside sites that its system suspects might be malicious.

But even Google acknowledges it isn’t foolproof.

Some recession-driven scams have been slipping into Google’s search results, although that number is “very, very few,” said Jason Morrison, a Google search quality engineer.

On one kind of fraudulent site, phony articles claim that participants can make thousands of dollars a month simply for posting links to certain Web sites. Often, the victims are asked to pay money for startup materials that never arrive, or bank account information is requested for payment purposes.

“As soon as we notice anything like it, we’ll adapt, but it’s kind of like a game of Whac-A-Mole,” he said. “We can’t remove every single scam from the Internet. It’s just impossible.”

In fact, Google said Tuesday it is suing a company for promising “work at home” programs through Web sites that look legitimate and pretend to be affiliated with Google.

Stickley’s site wasn’t malicious, but easily could have been. In the year and a half it was up, the 10,568 visitors were automatically redirected to the real credit union, and likely never knew they had passed through a fraudulent site.

“When you’re using search engines, you’ve got to be diligent,” said Stickley, co-founder of TraceSecurity Inc. “You can’t trust that just because it’s No. 2 or No. 1 that it really is. A phone book is actually probably a safer bet than a search engine.”

A Yahoo spokeswoman didn’t respond to requests for comment. Microsoft said in a statement that Stickley’s experiment showed that search results can be cluttered with junk, but the company insists Bing “is equipped to address” the problem. Stickley’s link no longer appears in Bing.

To fool people into thinking they were following the right link, Stickley established a domain ( that sounded plausible. (The credit union’s real site is After that, Stickley’s site wasn’t designed with humans in mind; it was programmed to make the search engines believe they were scanning a legitimate site. Stickley said he pulled it off by having link after link inside the site to create the appearance of “depth,” even though those links only led to the same picture of the credit union’s front page.

The experiment convinced Credit Union of Southern California that it should protect itself by being more aggressive about buying domain names similar to its own. Domains generally cost a few hundred dollars to a few thousand dollars each — a pittance compared with a financial institution’s potential liability or loss of goodwill if its customers are ripped off by a fake site.

“The test was hugely successful,” said Ray Rounds, the credit union’s senior vice president of information services.

Stickley’s manipulation illuminates the dark side of so-called search engine optimization. It’s a legitimate tactic used by sites striving to boost their rankings — by designing them so search engines can capture information on them better.

But criminals can turn the tables to pump up fraudulent sites.

“You can do this on a very, very broad scale and have a ton of success,” Stickley said. “This shows there’s a major, major risk out there.”

Robert Hansen, a Web security expert who wasn’t involved in Stickley’s research, said ranking high in search engine results gets easier as the topic gets more obscure. An extremely well-trafficked site such as Bank of America’s would always outrank a phony one, he notes.

Still, Hansen said, criminals have been able to game Google’s system well enough to carve out profitable niches. He says one trick is to hack into trusted sites, such as those run by universities, and stuff them with links to scam sites, which makes search engines interpret the fraudulent sites as legitimate.

“I don’t think we’re anywhere near winning” the fight against such frauds, said Hansen, chief executive of the SecTheory consulting firm.

Roger Thompson, chief research officer for AVG Technologies, who also wasn’t involved in the research, said search results can be trusted, for the most part.

“But the rule is, if you’re looking for something topical or newsworthy, you should be very cautious about clicking the link,” he said. That’s because criminals load their scam sites with hot topics in the news, to trap victims before the search engines have a chance to pull their sites out of the rankings.

“The bad guys don’t have to get every search,” he said. “They just have to get a percentage.”

Consumers can protect themselves from scam sites by looking up the domain at, which details when a site was registered and by whom. That can be helpful if the Web address of a phony site is similar to the real one.

Looks like search engine optimization (SEO) can be put to fraudulent uses too, as shown by Stickley and his fake site. It’s scary to know that your favourite search engine Google or Yahoo is delivering scam sites to you when you search with them. Who’s going to take the blame when the user gets scammed? Surely the search engine will have to take some of the responsibility as well, for not ensuring that they do not index phishing sites in their databases. Of course, the bulk of the responsibility still lies on the user to ensure that they are on the correct website before entering sensitive information such as bank account information or usernames and passwords.

Some simple things to look out for:

  1. Check the address bar – is the URI familiar?
  2. Look out for the https protocol – this shows that you’re on a secure connection. While even this may be faked, there’s a higher probability that you’re on a genuine site if https is being used.
  3. Look out for SSL when doing online banking. There should be a lock icon in the bottom right corner of your internet browser. If you’re using Firefox, you can also look at the address bar, where they will identify the owner of the SSL certificate.

don’t hack my password

Enterprises looking to maintain IT infrastructure integrity and deter hackers from attacking employees’ passwords, can tap software and simple guidelines to generate secure passwords, according to a security specialist.

Ronnie Ng, Symantec’s manager of systems engineering in Singapore and Indonesia, noted that there are systems and configuration management software, which include components and policies that allow IT administrators to enforce strong password guidelines within the organization.

Recent security incidents have stepped up the need for robust secret code. Last month, 20,000 passwords obtained from a phishing scam turned up on a third-party Web site, revealing login credentials to Windows Live Hotmail, Gmail and Yahoo Mail accounts, among others. A subsequent analysis of the compromised passwords revealed that many users were tardy in creating secure passwords.

Viruses such as Conficker and Gumblar, have already attacked the IT infrastructure of organizations such as the Australia and New Zealand Banking Group.

With these in mind, here are five considerations to strengthen passwords and the password-generating process, for both work and play.

  • Use tools that automatically generate random passwords

IT professionals, Symantec’s Ng noted, should make use of business software that allow the automatic generation of random passwords based on a fixed schedule.

“So even if a certain password somehow becomes compromised, it will only be good until the randomization expires, and it will only apply to [a] particular computer,” said Ng.

  • Use alphanumeric characters and unique symbols to create stronger passwords

Alphanumeric characters with a mixture of upper and lower case letters, numbers and symbols, will make it tough for hackers to crack. Employing this approach will make passwords “as meaningless and random as possible”, according to Ng.

Tech author and columnist J.D. Biersdorfer, noted in a video for the New York Times that such characters and symbols should also be worked into the answers of your challenge questions.

  • Instead of mnemonics, try a ‘pass-phrase’

Researchers at the Carnegie Mellon University in the United States have found out that using mnemonics, which require users to generate a password using the first letter of every word in a sentence, are not as secure as initially thought.

According to a Newsweek article, 144 volunteers were each asked to create a mnemonic password in a study conducted in 2006. The researchers then built a simple program to scour the Web for famous quotes, ad slogans, song lyrics and nursery rhymes, amassing 249,000 entries. Using this list, which is a relatively small universe of phrases in the security field, the researchers cracked 4 percent of the group’s mnemonic passwords, proving that this method has its fallibility.

Far more secure are pass-phrases such as “du-bi-du-bi-dub”, which would withstand a brute force attack–in which a hacker attempts “a,” then “ab”, then “abc”, and so on–for “531,855,448,467 years”, according to the report. So think long, but easy to remember phrases, the next time you generate a password.

  • Change passwords periodically

According to Symantec’s Ng, organizations should incorporate system prompts to alert employees to change their password every 45 to 60 days. Frequent password changes result in higher security, making it more difficult for intruders to access company data using outdated passwords. “But do strike a balance as overly frequent changes may hinder productivity,” he noted.

  • Avoid generating passwords using personal information

Internet users have a common headache: there are too many passwords to remember. Today, with Web-based email programs, Internet banking accounts, instant messaging tools, and corporate office computers among some of the more common systems or equipment requiring a password to authenticate entry, it is hard work for users to remember all their passwords.

However, users should not base passwords on the convenience of their personal information, Ng pointed out. Such data include names, nicknames and birth dates.

Former Governor of Alaska in the U.S., Sarah Palin, is a cautionary tale. Last year, her personal e-mail account was hacked into by a student, who simply searched the Web to find out Palin’s birth date, postal code and where she had met her husband to crack her security code.

So who wants to try a password like “du-bi-du-bi-dub”? That’s quite an interesting one, and it looks easy to remember as well. Another issue that wasn’t covered in this article is the fact that people like to use ONE password for everything: their email account, Paypal, eBay, etc. It’s pretty simple to get to the rest of the accounts once you know one of the passwords. Get into an email account like Hotmail and by sifting through their inbox, it shouldn’t be too hard to guess what other sites they visit on a regular basis.