Filed under: Personal Opinions, Phishing
posted by D1m on 08 Dec 2006 04:54 pm
A Way To Fight Phishing Scams
I think one root of the problem is how fast scammers can register domain names and have the fake websites – e.g. for PayPal etc… – up and running in seconds. The root of the problem is the automated process of the domain name registrations.
The Internet Corporation for Assigned Names and Numbers (ICANN) and the registrars have to do something in order to protect the individuals from phishing scams. The current situation is: A complaint about a scammer’s domain – e.g. payppaal.com – has to be legally resolved and it takes ages until the court’s final decision to take the domain name down, while phishers need only a few minutes or hours to setup their scam websites and steal dozen of credit card details.
The registrars therefore have to setup something like a prevention mechanism to filter a list of suspicious words that can be used to register domains for phishing scams and raise an alarm to the registrar staff or hosting companies. With this way the transaction won’t continue until proper verification of proof of identity of the suspicious individual attempting to register the suspicious domain name.
Domain policymakers and stakeholders must work together to reduce frequency of phishing scams.
OWASP
on 22 Jan 2007 at 7:04 am 1.Kevin said …
Yes this is a big problem, especially when the scam is hosted on a third party domain/site, in asian countries for example, it can take up to some weeks before it is taken down..
on 30 Jan 2007 at 1:16 am 2.Nick Kritsilis said …
I think the best solution is companies to actually protect their domain names, so for example paypal.com can buy paypall.com and payppaal.com … so all the customers of each company to be protected …
on 16 Mar 2007 at 11:40 am 3.Dim said …
Yes Nick, I agree somewhat with what you wrote, but say PayPal registers all suspicious looking domains which can be used by phishers against its customers… Phishers can still use a different domain name or either exploit web browser security vulnerabilities and code scripts that will still trick the customers into thinking that is the genuine service requesting their card details and other sensitive personal information.