According to online watchdog Netcraft, SunTrust (NYSE:STI) left its website open to actual use -- not just imitation -- by Internet phishers recently, with predictable results: When your house has a crack, sure as shooting, a critter will scurry through it sooner or later.
Ordinary phishing scams go something like this: Trading on the trust accruing to a respected company's brand name, online thieves build a website imitating the layout, color scheme, and, of course, the brand name of the company in question. The phisher then sends out thousands (sometimes millions) of emails in an "email blast" to random recipients, trusting that a significant portion of them do business with the company. Take the well-known example of Citigroup (NYSE:C). Phishers send out emails purporting to be from that bank, requesting recipients to click on a link to Citibank's website (actually leading to a dummy site) and there "confirm" their account information. Most Net-savvy consumers are on to the scam by now, but a few won't be -- they'll trustingly click through, see what appears to be Citigroup's website, and hand their information over to the thieves. A short time thereafter, the thieves will use this information to drain the customers' real Citigroup bank accounts.
That's how it usually works. But the SunTrust scam is more insidious because through a hole in that bank's Internet security, the phishers were actually able to "inject" their own code into SunTrust's site. Thus, when they send out their phishing email, a customer who clicks the link in the email goes to SunTrust's real site -- which is running the phishers' code. Any information they enter, however, is swiftly rerouted to the phishers' server in Korea.
As bad as all this sounds, it's only the beginning of the story. For according to Netcraft, SunTrust's site was used in a similar phishing scam about three months ago (one which struck home at the Fool), and Netcraft predicts that this is a trend in online fraud that is about to take off. Troubling news for online bankers. But this could also be opportunity knocking for investors in Internet security firms such as Symantec (NASDAQ:SYMC), McAfee (NYSE:MFE), VeriSign (NASDAQ:VRSN), and Corillian (NASDAQ:CORI).
Internet thieves have "gone phishing" -- but that's not good news. For more on the trend, read:
- Who Stole My Checking Account?!
- Our Money, Our Lost Identities
- Corillian Fishes for Phishers
- Phishing in the Fund Pond
Fool contributor Rich Smith owns no shares in any company mentioned in this article.
