14 DAY TRIAL // At the beginning of May, the FBI revealed that a man from Georgia, along with a number of accomplices, admitted to stealing more than $1.3 million (1 million EUR) after phishing the credentials of unsuspecting Internet users.
The cybercriminals defrauded people by creating web pages that replicated the legitimate sites of banks and other e-commerce companies.
With these websites, they convinced their victims to hand over sensitive information such as Social Security numbers, dates of birth, usernames, passwords, and other types of data that allowed them to create fake identities and process illegal transactions.
The fraudsters not only drained their victims’ online accounts, but they also forged checks and identity papers that would allow them to physically withdraw money from the financial institutions.
Waya Nwaki, the man suspected of being the mastermind of the scheme, was arrested in December 2011 in Atlanta, Georgia, and pleaded guilty. He will be sentenced for his crimes in August.
While it’s clear that many of their crimes could have been prevented if the victims had known how to protect themselves against phishing scams, experts believe that the companies involved can also be partly blamed for not taking sufficient measures to protect their customers.
Jeff Hudson, CEO of Venafi, an organization that provides encryption management solutions, claims that many companies are highly vulnerable to man-in-the-middle (MitM) attacks.
“This attack proves that companies are still vulnerable to one of the oldest tricks in the Internet crime book─the man-in-the-middle attack,” Hudson explained for Softpedia.
“Man-in-the-middle attacks have drained billions of dollars from enterprises and customer accounts, have inflicted unquantifiable levels of reputational damage on victim organizations, and weakened trust levels across the Web.”
He believes that the current IT security market provides the solutions to many of these problems and organizations should try to benefit from them to protect both their infrastructures and their customers.
“Organizations that leverage the Web and require secure customer and partner transactions should ensure that they have strong SSL connections in place, an accurate and thorough inventory of all digital certificates deployed, well-managed and automated security processes, and a remediation plan that can provide fast recovery in case of compromise,” he added.
“Organizations also have an obligation to educate their customers on how to proceed with caution when making financial transactions on the Web.”
Finally he offers some simple advice that “sounds techie,” but which, in reality, represents easy-to-follow security practices.
“Users should know that a green bar to the left of the URL field and the 's' in HTTPS are signs of a secure connection, how to validate a website's identity by reviewing its certificate, and to always avoid any website with a questionable or expired certificate.”