Web Security – A Losing Battle

Not only are we fighting a losing battle but we’re having to battle the good guys!

Picture the scene; you receive a link that says it’s from your bank, the webpage that opens looks like your bank and they want you to give them some information… what do you do?

Anyone that’s been around the web for more than a few minutes will have heard of scams and phishing, and will know the basics by now.

  • Does the website address say what you’d expect it to say?
    • Using a modern browser this is made a little easier as the domain of the website is highlighted, nope it doesn’t look like anything you recognise… Alarm bells!
  • Does anything about the website look a little bit off?
    • Well now you mention it the icon at the top of the page looks like it belongs to a different bank!
    • Given that this is for a UK bank it does seem odd that the example telephone number given is in American format
  • Has the link come from someone/somewhere that you trust?
    • Well I found the link on Facebook… stop right there!
  • If you’re feeling adventurous then take a look at how the website is made, anything else look dubious?
    • There’s a big image on the page, and that’s coming from another website that doesn’t look familiar
    • There’s a disclaimer that the promotion has nothing to do with Facebook and that you’re providing your information to the bank, but the submission form doesn’t go to the bank
    • Trying to browse back to the front page of the website to see if there’s any useful contact info, the only thing there is an error page
  • Just for giggles, what happens if you submit some gibberish information?
    • There’s a popup asking for permission to access my Facebook account, and there’s no way to continue without handing over permission
  • Oh look there’s a link for a privacy policy and that links directly to the actual bank’s website…
    • …but there is no mention of Facebook or this promotion on that privacy policy 🙁

phishing scam website?All in all you might be forgiven for assuming that this is a phishing scam, looking only to con you in to handing over some personal information that could later be used against you for some nefarious mischief that’s surely not going to benefit you. This isn’t a made up scenario. Earlier today this link popped up on my screen https://www.wf-site.com/microsite/pages/160c6438a43b32ba and in case the link expires here’s a screen shot.

Looking further into the details there are scripts being called from a website at wildfireapp.com, the SSL certificate of the website has been issued to a company called Wildfire Interactive, and the domain name is apparently registered to Google.  The website is hosted with Amazon cloud services (the same domain that the big image comes from) but given that they weren’t originally a Google company that’s understandable.

This Wildfire name fits with the wf-site address of the website and gives us something more useful to go on.  Looking up the Wildfire company they are a social media marketing and advertising company that was bought by Google in 2012.  It’s reasonable to think that a legitimate business or bank might use such a company for promotions and marketing.

So in summary, almost every check that can be expected of the average web user screams that this website is a scam, while looking into the more murky depths it’s (probably!) legitimate.  How can Information Security professionals be expected to give advice on how to protect personal data when the companies that are meant to be looking out for us are going completely against all good practice? Your suggestions are most welcome…