|
Phishing attacks have been rising over the past couple of years. Reports show that there was a 345 percent increase in phishing attacks between 2020 and 2021. In 2022, the number of advanced phishing attacks rose by 356 percent. Behind these alarming numbers, however, is an even uglier picture of digital fraud: a difficult-to-quantify prevalence of fake or spoof websites.
Phishing and other social engineering attacks rely on spoof websites to deceive unsuspecting users into submitting their sensitive information including login details, credit card numbers, and contacts. Websites are becoming a major battleground in today’s war against fraudsters online.
Governments are cognizant of this reality, inevitably leading to the implementation of new security guidelines and regulations. These new policies will mean that organizations must enhance their website security and improve the protection of their customers.
The Biden administration’s National Cybersecurity Strategy is trying to put an end to, or at least significantly reduce, the silent but highly prevalent policy of vendor indemnification. For decades, businesses have essentially had a blanket of protection against liabilities (whenever their customers suffer losses or damage because of their products). This is mainly because of the “shrink-wrap licensing” scheme, wherein customers are made to inevitably agree to free the vendor of any liability through extremely lengthy terms and conditions or legal texts customers must agree to. It is common knowledge that virtually all customers skip these texts and directly proceed to click the “I Agree” button or affix their signature to indicate agreement.
This is a groundbreaking initiative from the US government, as it acknowledges that while product security may not be absolute, it is not right for businesses to be shielded from liability if their products are not adequately secure. Customers cannot bear all the responsibility for security. It has to be a collaboration between customers and businesses.
In the discussion about website security and customer protection, this means that not only should businesses be responsible for ensuring that their websites are free from security vulnerabilities such as cross-site scripting, misconfiguration, and injection flaws, but they also must make sure that their customers do not fall easily to phishing attacks, including those that leverage spoofed versions of their websites.
In the past, the impact of spoof websites was mostly on the operations and reputation of the business being spoofed. Nowadays, these spoof sites are also directly affecting customers by facilitating financial and informational theft. Biden’s National Security Strategy suggests that businesses should also be responsible for addressing the problem of spoof sites.
In the US, there are no concrete and legislated solutions yet to reflect this paradigm shift in site security and customer protection. But in the UK, banks and payment companies have already become legally required to reimburse fraud victims. As the world begins to shift towards greater company liability for customer protection, upcoming solutions in the US are expected to be in line with the following strategies:
Detecting the possibility of an attack – Website spoofing and other cyber attacks aimed at a website usually start with website scraping, the process of extracting a website’s data and content. The detection of website scraping provides a hint that there is an attempt to spoof a site or launch other adversarial actions.
Scraping itself is not bad per se, as it can be used for machine learning, to acquire content that can be used for informational purposes, and is even done by search engines. “Most of this data is unstructured data in an HTML format which is then converted into structured data in a spreadsheet or a database so that it can be used in various applications,” writes a GeeksforGeeks user in a guide on web scraping.
However, scraping is also a strategy used by attackers that spoof websites. Since most website scraping is undertaken by bots, this malicious action can be detected by implementing malicious bot detection and management.
Doing this is not as easy as it sounds, though. Headless browser bots can masquerade as humans as they fly under the radar of most mitigation solutions. It is important to have advanced detection systems that include behavioral analysis, IP reputation evaluation, and progressive challenges such as JavaScript execution.
Preventing website scraping does not block the possibility of a website getting spoofed. However, at the very least, it complicates the process of copying websites, which may make a site less attractive to spoof for cybercriminals. It puts a very narrow bottleneck on automated attacks, which allows organizations to have more time to address the problem.
Helping customers identify or detect attacks – One of the biggest challenges of website spoofing is the difficulty of achieving real-time detection and a timely response. “The main challenge with brand impersonation attacks that employ website spoofing tactics is that those spoofed websites are outside your security perimeter. By the time malefactors have created spoofed websites mimicking yours, it may be too late to take action,” writes Memcyco’s Ran Arad in a guide on spoofing prevention.
This means that cybersecurity should be a collaboration between businesses and customers. There are ways for businesses to protect themselves from cyber attacks by helping their customers directly. For example, when it comes to website spoofing, implementing features that allow customers to examine the authenticity of a site helps the customers and also protects the business at the same time.
This is why some websites, especially those of banks and financial service providers, have notifications that remind their customers that they should be using the website with an indicated official URL, to ascertain that they are not interacting with a phishing page.
To speed up detection and response, it makes sense to empower and enable customers to identify a potentially spoofed site and take the appropriate courses of action. Doing this allows businesses to help customers evade attacks that are beyond the average detection and response capabilities.
Driving security and resilience by shaping market forces – “We will place responsibility on those within our digital ecosystem that are best positioned to reduce risk.” This is one of the crucial points in the Biden cybersecurity strategy, which is highly relevant to the goal of boosting website security and customer protection.
This strategy emphasizes the need to promote personal data privacy and security and to secure development practices to ensure the security of products and services that can be targeted by cyberattacks. These actions are well within the capabilities of businesses, vendors, or service providers, which compose the market forces that can be viably obliged by governments to significantly improve cybersecurity and digital resilience.
As McAfee’s Raj Samani asserts in a blog post, “security is now the foundation of good customer experience.” There are compelling reasons for businesses to accept a bigger role in ensuring website security to provide good customer service. In particular, it enables businesses to be more competitive. “In crowded markets, customer experience is often the key differentiator between competing businesses,” he writes further. It makes perfect sense for new policies to require companies to do more to secure their websites in order to protect their customers.
Website security and customer protection go hand in hand nowadays, in view of the rampant use of spoof sites in phishing and other social engineering attacks. This may suggest a shift towards expanded cybersecurity obligations for businesses, and, perhaps more importantly, a more fruitful collaboration between businesses and customers.
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byVerisign
Sponsored byRadix
Sponsored byIPv4.Global
This is a very informative article on the domain abuse happening on the .US domain. NTIA’s weak response in this article is why Congress should hold hearings and move legislation to “fix” the Dark WHOIS issue that puts US cybersecurity, privacy, and consumer protection at risk.
Why is .US Being Used to Phish So Many of Us?
https://krebsonsecurity.com/2023/09/why-is-us-being-used-to-phish-so-many-of-us/
This GAC letter to ICANN org on WHOIS “urgent requests” is just another example of the need for Congress to step in. https://www.icann.org/en/system/files/correspondence/caballero-to-sinha-23aug23-en.pdf