The article “In-session phishing holds new potential for attack” by Dan Blacharski is worth another read. If you have not done so, I highly recommend reading this article.  Dan provides important information on the most dangerous of all phishing expeditions to date.

Getting past the symptoms that achieve the in-session phishing results, let’s examine the root cause.  I learned a long time ago that the solution to any problem lies within the problem itself.  This has proven true over the years in overcoming problems life has presented.

This adage holds true with in-line phishing.  The solution to preventing or minimizing in-phishing or other phishing scams lies in eliminating the complexity of domain names. Beyond the ignorance of people having identities or money stolen, the root cause lies in the way universal resource links (URL) are created. As technocrats, we get hung up on creating complicated internet web address URLs. The thought is the more complicated the URL, this increases the chances of thwarting the phishing thieves. This complicated URL approach does not consider the every day person who won’t know the difference.  So this actually makes it easier for the phishers to reel in their victims.

In “Security Best Practice: Host Naming & URL Conventions“,  author Gunter Ollmann provides solid methods for addressing the root cause of phishing attacks. Gunter points out that companies need to spend time rethinking the naming conventions for Internet web address URLs.  Organization names used for Internet visible hosts or references to web application URLs can often be abused to make for a more successful attack. Due to a lack of insight or understanding of current attack variables, many organizations are failing to follow best security practices in their host naming and linking conventions. The result is companies unwittingly aiding the attackers.

Most attackers, whether they are malicious users or professional criminals, have a bag of ‘tricks’ from which they construct their attack. Many common attack vectors initially depend upon the manipulation of the host name and/or application URL to deceive the customer in order to be successful.  To conduct an attack comprised of any of the threats previously discussed, the attacker has a finite pool of techniques and vectors that he can use. The most important and successful techniques are:
• Registration of similarly named domains
• Manipulation of complex URLs

Suggestions for Minimizing Phishing Attacks

Protect against all of the threats by adopting a robust and comprehensive in depth defense posture.  At a fundamental level, the process of keeping host names as simple and recognizable as possible – combined with the use of short URLs for referencing application components – can appreciably contribute to the overall security of an organization’s online service.  Customers and clients must be able to tell at a glance exactly which service offering they are connecting to, and have confidence that they are not succumbing to a fraudulent link.

Care should be taken when considering how domain names are to be used when delivering host services. Regardless of any particular attack vector, most customers are non-technical and are easily overwhelmed with the long and complex information presented in “follow this link” URLs.

Suggested “best practices” in domain naming and host service referencing include:

• Use of the same top level domain

• Redirection of regional domains

• Representative service naming

• Use of the simplest and least confusing host name

• Avoiding host numbering

There is no magic silver bullet.  Gunter Ollmann is probably not popular with phishing thieves right now, because he is on the right track with his approaches.