CUInfoSecurity.com Interviews Markus Jakobsson - Part 1 of 2
MARKUS JAKOBSSON: Thank you, Linda.
LINDA MCGLASSON: Iâ€™ll go right ahead into these questions. In your most recent research, The Human Factor and Phishing, you showed the importance of understanding the psychological aspects of phishing. For the banks and credit unions who want to educate and protect their customers, what are some of the most important points they need to know about your findings?
MARKUS JAKOBSSON: I would say that they could hire the most brilliant techies, who know everything about cryptography and network security, to secure their website and make it hacker-proof, they could pay companies like Cyota for quick takedown, and they could hire people like the guys at the Internet Law Group to go after the phishers and bring them to court. These, of course, are good things to do. But, still, the client might fall prey to phishing in large numbers. Why? Well, first of all, having a safe, safe site doesnâ€™t mean that your clients will not be fooled to give out the information at sites impersonating your site. Your client didnâ€™t come to your site to learn about security â€“ they came to pay their bills, and, and thatâ€™s their primary thing. Security is a secondary concern to them. And they may not even pay attention to the warning. So, the absence of indicators that they are at the correct site. So, a hacker can deceive them to go to another site. Well, now your basic self-protection doesnâ€™t do much good. And, most people reacting to phishing attacks actually do so within a few hours before takedown really protects them. And, even if it does help to bring a few phishers to court, it still doesnâ€™t undo the damages, so you still need to do more. First of all, itâ€™s really important to realize that security isnâ€™t a matter of using common sense or reacting correctly to attacks. Itâ€™s also a matter of deciding the websites and your e-mail downloads in a way that makes the attacks harder. And, most of all, itâ€™s about anticipating the next moves of the attacker. This is not easy, of course. How could you know what they are going to do next. If you could have somebody in-house, or you could work with somebody who specializes in this, who looks at the features, what the vulnerabilities are, and your features and of common phishing countermeasures, and also psychologically, who knows what the average Joe will fall for. For example, most people are now aware of the standard phishing attack, in which, the attacker impersonates their financial institution, and asks the user to log in within 48 hours. This is not so credible anymore. Recent studies have found that if a client has a voice mail on his or her answering machine if they come home, and the voice mail says to expect an e-mail requesting their password, update request the next day, of course the e-mail would refer to the voice mail, then the user feels very differently. This e-mail, it comes the next day, says â€œNow you need to log in within 48 hours.â€ It becomes very credible. So, this might seem like a very complicated attack, of course. You first have to play the voice mail, you have to place a call and get the voice mail on somebodyâ€™s answering machine. But, Iâ€™m telling you this is not a complicated attack. And it quite spectacularly would increase the yields.
LINDA MCGLASSON: What led you to this research, and why do we need to understand users, and know what they will believe, and what they will not?
MARKUS JAKOBSSON: Well, let me answer this with a couple of examples. Several financial institutions wish to authenticate themselves to their users, when they send e-mail, for example, so that the users will be less likely to fall for spoofing attacks. So, one very common way is that the financial institution might say the name of the person who receives it, the e-mail, and the four last digits of their account number, or credit card number. And, and this is considered, in general, to be secure. But it has a severe flaw. Users, they donâ€™t distinguish between an e-mail that says the first four and the last four digits of their credit card. So, to most users that seems like equally safe. You know, it said something about your credit card number, and that is, of course, personalization. And most consumers donâ€™t know, but of course, everybody in the banking industry knows, that the first four is largely determined by the financial institution. So, a phisher who picks up on this could, you know, send out an e-mail that says, â€œTo,â€ and the name of the person, and thatâ€™s very easy to find out, and then authenticate themselves, supposedly, by saying â€œThe first four digits of your account (or credit card) number is the following.â€ And the user who receives this will automatically believe that this is legitimate because it has an authentication that he or she has gotten used to. The financial institution has trained them to accept an authentication in this general format. And even if he or she looks at their credit card, and hopefully security-minded people do, it will be accepted. And, so, phishers could actually abuse an apparent security feature, and turn it into a security flaw. And this is something that we need to understand, what the user falls for, in order to understand that the first four numbers is not a good authentication measure. Also, you need to anticipate how your features and your advertisements end up in the hands of the attacker. For example, say that a bank, like Chase, has this alert service, if you, if you sign up for it, and you are a Chase Bank client, then every time you perform a transaction of a certain type, you get an alert, whether by phone, or by e-mail. Letâ€™s use an e-mail case, now. A bank like Chase, really needs to register chase-alerts.com, and alerts-chase.com, and they own these two domains, because if they donâ€™t, these domains will seem incredibly plausible to a user who receives an e-mail appearing to come from Chase, and having these links embedded. For example, assume for a case that Chase did not own these, and I want to register them and I were a phisher, then I could send you an e-mail that would seem incredibly plausible to you, and ask you to follow these links. And as you arrive at the target, of course, it would look like a Chase banking site. And so, this is about the features of the financial institutions. Also, you could consider advertisements. One advertisement could be mounted by phishers, if an attack, to say, â€œLook, we at Citibank are very proud of our new services, and we know youâ€™re not banking with us, but we would like you to switch. If you switch today, we will match what you put into your account up to the first hundred dollars. And, in order to transfer money, you can follow this link, and just take it directly from your institution.â€ And this way, of course, what the phisher does is he or she achieves two goals. First of all, he doesnâ€™t need to target Citibank customers. Normally, the phisher has to know who they are targeting, or just be lucky, but here they are targeting everybody, except those who are with Citibank. So they get a much larger portion of the recipients who find it plausible. And second, they, of course, get the account number, or other information that allows them to take money out of the existing account. Theyâ€™re not trying to establish an account with Citibank, and theyâ€™re not worried about credentials that the user gives in order to establish this account. What they want are the credentials on the account from which the user, supposedly, would transfer the funds. So, these are examples of how features, and potential features or advertisements could play into the hands of the attackers.
LINDA MCGLASSON: In your paper, The Human Factor and Phishing, you noted that information security specialists make the mistake of designing security to protect themselves, and why isnâ€™t this sufficient to protect the average consumer? And, what are some of the examples you can give that would illustrate this?
MARKUS JAKOBSSON: There can be several answers to those questions. First of all, security specialists, they apply security day out and day in. They think of nothing else. And, if they get a phishing e-mail, itâ€™s an amusement. My colleagues and I, we pass around phishing e-mails and compare them, and we all have a good laugh. So, security specialists, they will have a warped sense of what will fool people. Itâ€™s very easy to start getting used to the level of attacks and being so abnormally paranoid, and able to distinguish attacks that you donâ€™t realize that the average consumer arenâ€™t at the same level. And also, most security specialists are very technology-focused. They are trained as computer scientists, and they understand computers and algorithms, and how that works, but they donâ€™t necessarily understand human psychology. Not like con artists do. Con artists make great phishers. If you could have a con artist turned security specialist, youâ€™ve really got the best of both world. Somebody who knows security and lives and breathes deceit.
LINDA MCGLASSON: So, what are some of the things that people judge e-mails for when determining its authenticity, and what do you think creates trust?
MARKUS JAKOBSSON: This is a topic I have done a lot of user studies on, and the answer is very interesting, or the answers, there are several of them. First of all, the average client of the financial institution looks at an e-mail and makes sure it looks right. It has to have the logos and it has to have the right general format. And, also, it needs to sound right. Whatever the material is, it needs to be contextually relevant. First of all, it needs to be from their institution. And, so, phishers could either hope that they have people that are with a given institution. And that becomes easier with smaller financial institutions, like credit unions, that are geographically located in a way that could be associated with the domain name to which the phishers send e-mail. For example, if somebody is with Indiana University, they are much more likely to be with Indiana University Credit Union than somebody who is not, and vice versa. And, so, they can increase the yield in this manner. Also, there are actual ways in which phishers can learn whom you are banking with, and this is rather upsetting. I have a small logo on my webpage, itâ€™s called â€œbrowser recon.â€ It allows anybody who runs a website to which they can attract users to look at the browser history of that personâ€™s machine, and determine what places they have been to. And, of course, if you know that somebodyâ€™s been to Citibank, you can safely assume that they are a Citibank customer. But, I could even look if they have been to the logout page at Citibank, and then I can tell for sure that they have to be a Citibank customer. Also, you could base it â€¦. Thatâ€™s somewhat advanced, though, you could maybe place it on IP address. You could figure out what institution somebody is likely to be with, based on their IP address. So, that is the second thing, the context of it, which is also included in the text. If the material that causes people to login somewhere, which is what they call the â€œmirror,â€ if it sounds plausible, and if it hasnâ€™t been seen before, it has to have a psychologically appealing and new twist. And then there are minor things like disclaimers. In a study that I have been part of performing, we found that if people are confronted with two e-mails that look the same, but for the fact that one has a legal disclaimer at the bottom, and if you ask people to rate the likely authenticity of these two e-mails, then everybody says that the e-mail with the disclaimer is the most legitimate. And when you ask people why, they would say, â€œWell, phishers, they donâ€™t need legal disclaimers, and why would they do that?â€ And the legal disclaimer gives this warm, fuzzy feeling of trust that, of course, is very easily obtained by a phisher the same way. Just put a legal disclaimer onto their e-mail. And, also, people feel much more comfortable if an e-mail has a phone number to which you can call if you have questions. Theyâ€™re not intending to call, necessarily. But the fact that there is a phone number makes them feel like somebody else would call, and if this was a fraudulent e-mail, it would, of course, be discovered in the process. So, you could have an e-mail sent by a phisher which contains the phone number, whether it is of the legitimate institution, or a number that nobody will pick up, or even a phone number that is controlled by the phisher, where somebody will pick up, and perhaps even ask for your motherâ€™s maiden name. So, phone numbers is another way that phishers can increase their yield. Also, plausible domains. People are much less likely to fall for a phishing attack in which the URL that they are asked to go for is an IP address. People do rely on those also, to some extent. And the yield almost falls in half if there is an IP address, as opposed to a real, normal domain. And registering a plausible-sounding domain, something that has to do with an institution, or whether you put the institutionâ€™s name in a subdomain, that really does increase the yield. With one of my students, we performed tests that the value, exactly the degree to which this is the case, to which people find it more plausible. And this is not laboratory experiments, where people know that they are being studied, but these are actually what we call naturalistic studies. Of course, weâ€™re not phishing anybody, weâ€™re not stealing anybodyâ€™s credentials. But other than that, it looks just like a real attack. And we could determine that these are the things that people really do look at and do fall for. For example, customer name attacks, when they value an e-mail to determine whether itâ€™s legitimate or not.
LINDA MCGLASSON: So, youâ€™re saying if a consumer sees a padlock on his site, on a website, do they trust it more than one without? And, what are some of the examples you can give, and what is going wrong with SSL certification procedure, and explain to our listeners, what is SSL certification?
MARKUS JAKOBSSON: SSL is a way, a cryptographic technique used to secure the connection between a site and a user who connects to the site, so that nobody could tap into the conversation just by perhaps routing the traffic, and thereby learning what information is found. You donâ€™t want anybody to listen in to the credentials youâ€™ve found. And, SSL has become one of the distinguishing aspects of whether something is a phishing site, or not. Typically, phishing sites donâ€™t have SSL locks on them. But, unfortunately, itâ€™s not, this is not important, because the average consumers, they donâ€™t notice the absence of the lock. Itâ€™s studies that I have been part of performing have shown very complicitly that people notice the inclusion of incorrect information, like if you call them â€œJoeâ€ and their name isnâ€™t Joe, they would immediately notice, but people wonâ€™t notice the absence of material. For example, if there is not a lock at the site, then that is not so noticeable as if you have something. And that is, of course, a concern, too. For example, financial institutions like Bank of America, that rely, that rely onsite key, which is a visual mark that people would have to recognize, in order to know that it is the site. So, what it is is that itâ€™s not always that people do notice. And you can even deceive them by saying in an e-mail that because of the Americans With Disabilities Act, we are now changing the image that you are going to see, and here, just below, you will find your current image. And, now, please go to this site, and the phisher would give a new image there, and acknowledge that you agree to this, but first, of course, you need to authenticate, so that we know that it is you. And that is one very bad way. But, back to the SSL. People donâ€™t notice it so much. And, people also donâ€™t notice where a lock is, if there is a lock. For example, the SSL lock should be in the crown portion of the brown, so this gray part around, or in the address bar, depending upon what kind of browser you are using. Many institutions actually put it inside the log on. This is to signify what is called a SSL post, which means that once you do press submit, youâ€™ve entered your user name and your password, then you start an SSL session, before the credentials are sent. And, institutions used to lock logo inside the content portion, in order to signify that this is the case. But, anybody can put a lock image inside the page. And also, you could use what is called a â€œfavorite iconâ€ attack. If you go to my webpage, for example, you will see a lock in the address bar. And many people might think that this is a SSL lock, but this is just the â€œfav icon.â€ This is the small icon that you see, for example, if you go to newyorktimes.com, you will see a small logo that represents The New York Times. And anybody, any site can set this small logo in any way they wish. And the icon said itâ€™s to lock, in particular. But, there also are other ways in which you could put a lock in the corner, or what appears to be the corner. So, you could have, in several browsers a crownless window. And then the content of this window will have material that looks like crown with a lock. So, to anybody looking at this window, it looks like a normal window, whereas in fact, it is a window without the crown, without this gray frame, where the content has a frame, and a lock. But, the biggest problem, really, is that people do not pay attention.
LINDA MCGLASSON: What are some of the educational efforts taking place to change consumersâ€™ reaction to phishing, and how effective is it, in your estimation?
MARKUS JAKOBSSON: Well, institutions have to educate their clients to some extent, about phishing and online fraud, and they do it, of course. But this is dry descriptions, and screen shots, and it doesnâ€™t really teach people to understand phishing. And also, itâ€™s not attractive enough that people feel like they want to read it. If anything, itâ€™s a little bit scary and intimidating. And so, first of all, they donâ€™t necessarily target the people who need this information, and second, the presentation doesnâ€™t make it very easily digestible. And it might even be just a couple of screen shots of known attacks, and not quite any instruction of how to spot versions of this, or how to understand the underlying mechanism. Also, popular media has a lot about identity theft. For example, Readers Digest last year carried two stories on identity theft, and what to do. But, these are very short and dry stories. They give a couple of suggestions, like, donâ€™t click on links, and all of these things that we are used to hearing. But, institutions do send out e-mails where you do have to click on links. So, itâ€™s hard for the consumer to know what are the good links, and what are the bad links, and it all boils down to understanding what is going on, and that is something that is not very well taught, in my opinion. Similar, the FTCâ€™s educational effort, same thing. Itâ€™s somewhat abstract and dry, and it doesnâ€™t really appeal to people in a way that makes them immerse themselves in it. Now, there are people who have realized this, and have tried to change this. For example, Lori Kramer, one of my colleagues at Carnegie Mellon University, she uses video games to teach people about phishing. And this noticed quite improved rates of peopleâ€™s understanding of what is phishing. First of all, because they managed to present it in a way that is appealing. So, people would sit down and actually participate in this. But also, it manages to become less abstract, and more people can relate to it, and that is, of course, good. Also, I have, as part of my effort, developed a comic strip that, you can see a couple of, you can see two panels of it in the paper that we were talking about, The Human Factor and Phishing, which is available on my webpage. And this material is meant to make it very easy for the average consumer to understand important aspects of phishing and identity theft, and what to do to avoid it. And, in a way that is somewhat easily generalizable. So, itâ€™s not about one particular attack, itâ€™s about what is happening, and how can you understand it, and how could you detect a new version of this?
LINDA MCGLASSON: In anticipating threats, you and others have been on the forefront of â€œthinking a step aheadâ€ all the time. What are some of the things that you would recommend we, as banks and credit unions, do to strategically stem phishing attacks?
MARKUS JAKOBSSON: Well, first of all, you need to understand trends in vulnerabilities, not only technical, but human, too. And the human vulnerability is to actually change over time, as people are educated, and as new technology is introduced and penetrating the marketplace. And also, you need to understand trends in countermeasures. For example, if we, for a moment, hypothesized that the takedown becomes very, very efficient and fast, then what will happen? That means that phishers will not be able to keep their sites up for very long, and so most of their potential victims who do click on the link will be taken to the site that no longer exists, and of course, that is a great disadvantage to the phisher, and they wouldnâ€™t want that to happen. So, the natural reaction to this would be for the phishers to have many sites. For an attack with a million potential victims, the phisher actually could have a million different sites, and each person who gets an e-mail would be taken to a new site, especially designed for them. Of course, this is not difficult, if you have the machines, you just zap the material on there. But, what it would mean is that when the financial institution initiates the takedown, that takedown of the site that they are aware of, whether it is from the honey pot or from the institution, or one of their clients, they are not doing a takedown of any of the others, because these would be unrelated domains and sites. And one very big concern of mine is that this is very easy to do. One of the easiest ways to do this is to compromise consumer routers, the access points that almost everybody has in their home. A Netgear router or a Linksys router. And on these compromised machines, which actually are pretty full-fledged computers, there you host content. So, say that an attacker might actually compromise a million of these. That means now he could point other people, a million people, potential victims of an attack of his to these million different access points. Takedown will be worthless. Takedown is not going to work when the institutions canâ€™t get all of them. And then you might ask, â€œHow could this happen? How could an attacker compromise a million routers?â€ A couple of papers that I have been a co-author of have shown that this is terrifyingly easy. Firmware is a kind of software that is running on these machines, which, Firmware is a kind of software that doesnâ€™t disappear when you switch the machine off and then power it up again. Itâ€™s a little bit like an operating system, in that it remains. The firmware can be replaced on a router. And in small experiments, we have seen that about half of consumer routers out there are vulnerable to this attack. Meaning, if I were to manage to get access to, by being close enough to a million routers, then 500,000 of these, I could compromise. But it gets worse, actually. These router firmware, you could think of it as router malware, actually could propagate from router to router. In a densely populated area, you could actually see more than one router at the same time. If you live in an apartment complex, you will see that itâ€™s not only yours that you can connect to, but you can connect to many others. So, imagine an attacker that compromises one of these routers, and then, as part of the compromise task, this router will sniff for other routers which it can compromise and spread the malware onto those, and it will propagate in a, maybe, epidemic manner, if there is enough connectivity here. And after it has propagated, all of those machines now, all of these routers are owned, in a sense, by the attacker. He could do whatever he wishes. And in particular, he could host material on them, phishing sites. So, thatâ€™s the kind of, if you hypothesize the takedown becomes fast, youâ€™d have to be afraid of a scenario like this. Also, you would have to be afraid that keyloggers would become more common, and this is a threat that becomes very viable through games, and what is called mods, and screensavers, and other user-installed material. And, also, itâ€™s called metamorphic viruses. These are just viruses that are difficult for anti-virus software to detect because it changes shape all of the time, and so the signature files that the anti-virus companies produce arenâ€™t likely to actually defend very well against it. Also, you can see as a third approach, if takedown becomes very fast, is that the phisher will just say, â€œWell, Iâ€™ll do it through the phone, instead. Iâ€™ll do phone phishing,â€ or what some people refer to as Vhishing that comes from voice mail, phishing. And that is also the likely reaction if phishing becomes spectacularly successful, well, they just avoid e-mail.
LINDA MCGLASSON: Thatâ€™s some very, very intriguing comments you just made on the ways that these guys will be approaching phishing. My next question is going back to something that you had mentioned earlier, about domain names. Do you recommend financial institutions also take the domain names that match existing or future potential services or features of the institution or its competitors? And what about how they should handle institutions that are merging, and possible misuse of domain names in that case?
MARKUS JAKOBSSON: This is a good question. Let me answer this by two examples. Some time ago, Bank One was acquired by Chase. And this became a very vulnerable time to clients of Bank One, because they werenâ€™t quite aware of what Chase looked like, and what the form of logging into Chase was. Nor were they, they werenâ€™t so sure about the URLs and all other aspects of online banking, either. So, say that a phisher would register a domain like bankonebecomeschase.com. Most people would find that rather plausible, I would argue. And so, then you take advantage of the fact that people are vulnerable, at the same time as you have an opening to use a new domain name that wasnâ€™t very meaningful before. Another thing that you could do is, if you are an institution, apart from registering these in advance, would be to look at attacks that are occurring and targeting other financial institutions. For example, there was an attack that many refer to as the Chase Rewards attack last spring, in which a lot of people got e-mails, saying â€œDear Chase customer, we would like to know how you like our services, and please fill this survey, and youâ€™ll get $20 for the effort,â€ and then it was increased to $50, and yet later to $100. And if the user took time to answer the survey, which was not of any interest at all to the phisher, they would get this reward. And of course, the way in which they would get the reward would be to log in. So, this was just a psychologically complicated way of getting to the user credentials. Now, what happened was that phishers realized that this was rather successful, but that there were other institutions, as well, that they could target. And, only some months later, you started seeing it on Washington Mutual. Now, as soon as that happened, I went out and registered wamu-rewards.com. This is something Washington Mutual should have done. They should have done it the moment they saw the Chase attacks, many of which were performed using domains like chaserewards, or similar. They should have taken every domain in which they saw in the Chase attacks, and they should have registered the same domain, principally stopping the attacker from using those, if they were to turn to Washington Mutual. And, by the way, if anybody is listening to this, and you do work for Washington Mutual, I would be quite happy to transfer this domain to you. But, I need to know that Iâ€™ve transferred it to you, of course. And, so you should practically look at what could happen to you, based on what is happening to others, and what could happen to you because of your particular situation.
LINDA MCGLASSON: That is just amazing. You also, I think, in your paper noted one phishing group actually used two letter â€œVâ€s, standing side by side, to phish Wachovia. And the two â€œVâ€s looked like the â€œW.â€
MARKUS JAKOBSSON: Yeah.
LINDA MCGLASSON: Itâ€™s something that institutions should really be looking at, and itâ€™s not just the big guys, either. Itâ€™s some of the mid to smaller size asset banks and credit unions that should be observing, and closely watching the domain names around their domain name, or offshoots of it. Going on to another question. Itâ€™s been estimated that more than 10% of all networked computers run botnet software. And Iâ€™ll let Dr. JAKOBSSON explain what botnet software is. And an even larger amount are still affected by various forms of malware. What would you recommend to institutions on how to battle these things that are happening?
MARKUS JAKOBSSON: Well, first of all botnet is a type of malware that is remotely controlled by an attacker. When I spoke of the attacks that could be used, that could be performed, using consumer access points and routers, what I really described was a botnet. Itâ€™s a large number of machines that are controlled by the attacker, and which perform tasks on behalf of the attacker. And these are also used for what is called distributed denial of service and they are used for spam, but they could also be used be used to host phishing pages and other things. And, so more than 10% of all computers, it has been estimated, do have botnet software. And that is, of course, quite worrisome. What we need to do is to notice if any one particular computer does, or, not only with botnet software, but with malware in general. And one good way of knowing that is, of course, if you make everybody use anti-virus software, then the anti-virus software will catch this, but not everybody does use anti-virus software, and itâ€™s sometimes misconfigured, and also, itâ€™s not bulletproof. It only takes care of known threats, and it canâ€™t take care of threats that just started to occur until the anti-virus company updates the, whatâ€™s called the signature files. So, there is one way in which you could counter this threat. Itâ€™s referred to as remote harm detection. Itâ€™s a way to remotely, from the financial institution, scan the machine of a person who comes there. It doesnâ€™t need executables, and you certainly donâ€™t want your clients to have to download executables, because it trains them to do very dangerous things. But, just by arriving at your webpage, being there, we will scan certain aspects of your computer, and in particular, the browser history of the client, to see if they have been to bad places, or places that signify having been corrupted. And, so that is one way of detecting whether a machine has been compromised. And if you know that it has, then you know, of course, not to trust anything that comes from that machine. It could also host a keylogger, and it is a machine that is dangerous, in some sense, and you need to flag it.
LINDA MCGLASSON: And, going onto our next to the last question. How can banks and credit unions anticipate threats from strengths and weaknesses? And, do you have any examples that you can give to illustrate this?
MARKUS JAKOBSSON: Iâ€™ll give you a couple of examples. One is to say that there is better detection of spoof messages, say that software in general, or people in general, become better at detecting if itâ€™s spoofed or not. Youâ€™ll see more similar name attacks. These are attacks that rely on names that somehow, mentally, to the user, relates to the brand that is being impersonated. For example, I mentioned the potential phishing attack, in which it could say, â€œSwitch to Citibank, and youâ€™ll get $50,â€ or something like that. An attack that would relate to this would, might correspond to a domain name which is switched to citi.com. And so, if you have better detection of these, these types of attacks are probably going to increase. When people become aware of IP addresses more, and get more afraid of them, you will see this. Also, if I register a domain like organchase, it sounds like a ridiculous domain. Say organchase.com. I could actually use whatâ€™s called a subdomain, this is the text that comes before the domain name on the webpage. If I use JPM as a subdomain, what it would look like when you look at the URL is jpm.organchase.com, which most people will read like, â€œjpmorganchase,â€ and it could look legitimate. So, you get these wacko looking domains that are effective. So, banks should not only register what looks similar, like you mentioned, instead of â€œWâ€, you could register something with two â€œVâ€s, and not only what psychologically is related, like switchtociti, but they should also register things that are kind of subsets of this, like morganchase.com.
LINDA MCGLASSON: And, finally, our last question with you, Dr. JAKOBSSON, do you have any best practices that you would like to share with all the financial institutions out there, that they should be following, to fight the phishers?
LINDA MCGLASSON: Actually, I have just thought of one last, final question for you, and it is regarding the most recent news that broke, I believe last Friday, on the phishing attack at the Swedish Bank Nordea. What is your opinion of what happened, and maybe you can explain to our audience your thoughts on it?
MARKUS JAKOBSSON: Well, this was a very well-organized attack, in which a large number of users were phished, and it is believed it was the Russian mob that stands behind the crime. Technically speaking, in fact, logically speaking, there is nothing particular about the attack. It was spectacularly efficient, in that it extracted about, around a million dollars from users, from clients, which was later reimbursed by this bank. But, then again, that might just be because of openness that we, that we learn about this, and it looks so spectacular. There might be other banks that face similar kinds of attacks every once in awhile. But, what is really special about the attack is that it highlights the problem, not that it changes the way things are done, or that they used a new technique, or anything. Itâ€™s just a very successful attack.
LINDA MCGLASSON: Okay. Dr. JAKOBSSON, Iâ€™d like to thank you so much for your time today. And we will look forward to hearing more from you in the future, as new mitigation techniques are developed. Our listeners can look for Dr. JAKOBSSONâ€™s book, Phishing and Countermeasures, Understanding the Increasing Problem of Electronic Identity Theft, published by Wiley Publishers, and it is available on Amazon. Iâ€™m Linda McGlasson, and this is another interview on the CUInfoSecurity.com broadcast series. Tune in soon for the next interview in our series with information security experts, cyberluminaries, and top financial institution leaders. So long until then.