Fraudsters and cybercriminals continue to find creative ways to exploit technology and human weakness to facilitate their crimes. Another new exploit they are using is hijacking popular Google search terms, typically targeting bank sites, and then inserting HTML into the legitimate response pages to get end-users to provide personally identifiable information (PII), typically website user IDs and passwords, often in conjunction with keyloggers they download to the victims’ computers.
While this exploit does require a small monetary investment by the criminal, it is worth it to the fraudsters to get the much more valuable PII to either sell to other criminals, or to use for their own crimes. These are not nickel and dime crooks, these are some serious crooks who know how to dupe people out of their money by creating an appealing, seductive promise or image that the enduser thinks will ultimately help him or her in one way or another. As the article states, “Attackers are realizing that in business, you need to spend money to make money.” Indeed, potentially many times more money than their investment.
Google reportedly removed all the malicious links that were exploited by this scheme, but it is possible they missed some of the links.
This isn’t a new type of attack. Cybercriminals know that end-users are less likely to have their computers updated with the latest security patches, and they also know that people are gullible to following the directives provided at what they perceive to be legitimate sites. I still hear, even from folks responsibile for information security, people who say they click on links found through popular search engines such as Google with no worries that they will be sent to a bogus site, or no worries that the link provided may be surreptitiously loading spyware on their computers.
A couple of actions to help fight this type of exploit:
* Monitor websites and search engines for references and links to your organization’s website and see if you find any bogus ones. Get those URLs removed.
* Provide training and awareness to your personnel about how to spot bogus websites
* Provide training and awareness to your personnel for how to resist the urge to click URLs promising to take them to sites with “hot pictures” of famous celebrities, or some other bait that many of your employees will fall for.
Tags: awareness and training, cybercrime, google, identity theft, Information Security, IT compliance, key logger, policies and procedures, privacy, risk management, social engineering