Posted by: David Harley | April 20, 2010

Student Loans: a Hard Lesson about Phishing

When I was a lad in the 60s, the UK still had a student grants system. It wasn’t always popular with people who had no chance of going to university, some of whom saw it as subsidising (ahem!) free love and recreational drugs rather than investing in the future workforce, and I have to admit that not everyone in my generation appreciated what an opportunity they’d been given to extend their education. (I  certainly didn’t until much later, which is why I didn’t finish my degree until I was 40!)

The UK moved away from that particular model long ago, and now works on a loan system. And Sunbelt’s Christopher Boyd has noted that the Student Loan Company site is being spoofed by phishing scammers. Anyone who falls for the fake forms these phishing sites present is asked for enough sensitive data to ensure that they could spend years clearing up the damage to their reputation and finances: date and place of birth, email account details, passwords, secret questions, bank account details, National Insurance Numbers (roughly equivalent to the US Social Security Number)… It’s hard to imagine that anyone would be so incautious as to give away so much information, but experience shows that people really do. 

Having handed all that stuff over, the victim is then passed onto the real DirectGov site, making it even less likely that they’ll realize they’ve been phished. Until their money or their identity disappears, of course.

You’d think that the sheer volume of sensitive data demanded by these spoof sites would ring alarm bells. However, Kevin Townsend forcefully suggests that the success of this scam is probably due at least in part to the incompetence and lack of professionalism of the real site. It’s a point I’ve made many times in the past: poor practice on the part of financial institutions grooms potential victims, persuading them to expect unreasonable demands for sensitive data. See, for instance, a paper presented by myself and Andrew Lee at Virus Bulletin in 2007: http://www.eset.com/resources/white-papers/Phish_Phodder.pdf.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://avien.net/blog
http://www.eset.com/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: