Phishing scams are a pain the ass. Not only for the millions of email users who wade through a regular tide of them every day, but they’re an equal pain in the ass to I.T. professionals. Unfortunately, nonprofits are becoming easy targets for the criminals out there bent on using the internet to fuel their thievery…
In case there’s still anyone out there who isn’t familiar with phishing scams, Wikipedia defines them as,
…a form of criminal activity using social engineering techniques. It is characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication. Phishing is typically done using email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to “fish” for users’ financial information and passwords.
If you saw the movie Catch Me If You Can, you likely remember that the main character, con-man and master forger Frank Abagnale Jr., started his criminal career by implementing laughable check forgeries but later refined his criminal skills to the point where his checks couldn’t be identified from the genuine article. Unfortunately, phishers are following a similar path, albeit it in a fraction of the time it took Frank Abagnale Jr. to refine his skills.
Sadly, one of those refinements is for phishers to hack into honest business servers to host or plant a redirect to their harvesting page (the actual webpage they use to collect the victim’s personal information). This way, they end up conducting their criminal activity under cloak of a legitimate business.
Toward the end of last week, I received a phishing scam from someone claiming to be Ebay. Whenever I have the time, I usually drift my cursor over the URL directing me to “update my records” harvesting page. I’m always curious to know the domain name the scam utilizes this URL caught my attention. Instead of the typical configuration IP addresses and Eastern European domain suffixes, this one looked quite legitimate.
As a matter of fact, I recognized this domain name as a sub-domain for a company that develops fundraising software exclusively for nonprofit organizations. What really caught my attention was the unassuming, yet out of place, extension following the domain suffix: “index2.html”.
I copied the entire harvesting page domain name and did a Google search for the URL address. Sure enough, Google pulled up a few hits for the legitimate company with that URL. I went ahead and followed the link and, unsurprisingly, it redirected me to the phisher’s harvesting page (complete with anonymous configuration of IP addresses and Eastern European domain suffix I was previously expecting).
I immediately picked up the phone and called the legitimate software development company and asked to speak with their I.T. manager because I believed their security had been compromised. They put me right through and I told him about the phishing email I received and forwarded him the message. A few seconds later I heard a soft curse followed by an admission that their company did endure a security breach the previous weekend and they have been cleaning out redirect pages like this since then.
He thanked me for calling and commendably provided details about their security breech provided I didn’t reveal the company name.
It’s only a matter of time before phishing scam artists realize many nonprofit servers are poorly protected when compared to for profit corporate servers. In particular, many orchestras have less than adequate security measures and oversight procedures to catch breeches in security.
Here’s an example, in the 2005 Orchestra Website Review I discovered several orchestras which didn’t even realize that their legitimate donation pages contained broken links which prevented users from actually making donations. One orchestra failed to correct a broken link to their online donation page for more than five months until the problem was pointed out in the website review (it makes me wonder if they even realized that they weren’t getting any online donations during that entire period. Wow.) What’s worse, more than half of the orchestra’s reviewed didn’t even include security statements on the donation page.
In the case of the phishing scam which came across my email last week, they only compromised a server to install a redirect to their harvesting page. But what is going to stop them from using a compromised site to hosthost an entire harvesting page (other than keeping the harvesting pages in a foreign country makes it marginally harder to implement scams)?
Some phishing scams and harvesting pages already look so good it’s hard to see a visual difference between them and the real thing. As such, creating a harvesting page that looks precisely like a legitimate orchestra fundraising page wouldn’t be hard to accomplish.
Here’s a grim, but not farfetched, scenario:
Cyber-criminals hack into an orchestra’s database and abscond with the email contact information for current donors and ticket buyers. While there, the cyber-criminals install a harvesting page on the orchestra’s now compromised server. The cyber-criminals then send out a phishing email to the entire donor list making it seem as though there’s a critical need for donations: for example, “Please help, we had our bank account drained by cyber-criminals and we need your donation now to make payroll!”. The cyber-criminals leave the harvesting page up as long as possible to suck everything they can out of the email list (which is likely comprised of a number of older patrons that are the most at-risk demographic for phishing scams).
So How Can It Get Better?
Orchestras which already employ a full time I.T. professional are not likely to experience much difficulty since they already have someone watching over their system. Assuming they keep an eye on their server they should be able to minimize any attacks.
However, as is so often the case, the organizations which have the least amount of resources will also have the most difficulty protecting themselves. The majority of orchestras don’t employ a full time I.T professional, in fact, a number of ensembles only direct meager resources toward their websites. They hire low cost consultants and/or accept gratis work from well meaning I.T. specialists.
As the example above about the orchestra that didn’t even know their donations page was not functioning for more than five months already demonstrated: too many ensembles spend such little time examining their own web server they don’t even know when the site is experiencing critical errors. For many of these ensembles which don’t employ an I.T. professional to aid in this task, I’m afraid that things will likely get worse before they can get better if they don’t take appropriate measures. They’re apt have to endure a breech of server security resulting in a tarnished reputation throughout the community and their donors. Then they’ll hire an I.T. manager.
Another option is to reallocate budgetary resources and hire an I.T. manager before the previous scenario plays out. Of course, that’s just a sterile way of saying they’ll have to eliminate or downsize an existing administrative position in order to have enough funds to hire a competent I.T. manager.
On the bright side, there are some additional solutions. They aren’t as secure as hiring a full time I.T. manager for the organization, but they can help. For example, an orchestra could partner themselves with other nonprofit performing arts organizations in their area to contract the full time services of an I.T. manager with the explicit function of monitoring the security for their respective websites.
Another simple protective measure is for orchestras to begin including the same sort of basic language many website already employ which informs website visitors that they will never ask for personal information, etc. and that individuals should report any phishing scams to the orchestra if they receive one. In order to aid in these efforts, orchestras need to create an easy to find link on their website which makes reporting a phishing scam (or any online abuse for that matter) as quick and as simple as possible.
These final solutions aren’t full-proof against protecting donors and ticket buyers against phishing scams nor are they designed to protect servers against attacks. However, they do offer a way for orchestras to minimize the damage and maintain a good relationship with their donors and ticket buyers. If an orchestra fails to implement these simple protective measures and ends up the victim of a phishing scam, then they only have themselves to blame.
In the end, it’s only a matter of time before I.T. professionals become a required member of every orchestral administrative staff. The sooner an organization jumps on board by hiring one, the better.