Businesses alerted to spam risk

Fraudulent spam hit the headlines last week, when banking group ANZ became the target of a spammer who attempted to get users to reveal their Internet banking details.

Jamie Gillespie, security analyst at security advisory organisation AusCERT, said that it had heard of similar Web site scams over the past couple of weeks, following another spate targeting banks about two months ago.

“[These scams] basically mirror the real banking Web sites," Gillespie said. However, the information, which typically included user names or password details, was saved to a third party Web site.

According to Gillespie, from what AusCERT had seen these scams had been affecting a large Australian audience, partly because the spammers target email addresses in the country of the bank they're mirroring.

IT security consultant Kevin Fitzgerald described brand spoofing as preying on people's social nature. “[It's] one of those things that's a bit difficult to protect against, because you've got the temptation of individuals as the vulnerability,” Fitzgerald argued. “In this case the vulnerability isn't so much a weakness in the equipment or the architecture, it's the people themselves.”

Fitzgerald suggested organisations need to have IT security policies in places to help protect against employees affected by brand spoofing.

He also warned that the number of hacker attacks was growing, estimating that this year attacks would double. “It's something we've all got to be aware of,” Fitzgerald said. “It's like a motor car—if you don't want to have an accident, don't take it out of the garage.”

Similarly, filtering software company SurfControl has also warned that brand spoofing will only increase unless organisations take extra security precautions.

Charles Heunemann, Australian managing director for SurfControl, estimated brand spoofing had grown from zero to more than five incidents per month over the past three months.

“[It's] the new organised crime, preying on email users who may not be as Internet-savvy or aware of cyber security,” Heunemann said. “But even for those who are aware, the fraudulent Web sites that collect the personal data look very realistic.”