The German Ministry of Finance has applied some lateral thinking in order to warn potential victims of a new phishing campaign. Fraudulent tax refund emails doing the rounds in Germany seek to con marks into handing over sensitive information in order to claim a tax refund. The scam email uses images pulled from the genuine …
In other words...
... they put in a bit of code to check the Referrer for each request and serve up a different image if it wasn't from within their own website.
Not hard and I've seen this used as far back as 1995 to ward off image thieves
The real question is: "why isn't it used routinely?"
Why isn't it used routinely?
1. The HTTP_REFERER variable is extremely unreliable - it's trivially easy to spoof, and in addition, many proxy servers strip it out. Any bandwidth thief with any technical conpetence would already mask it out when fetching it for their site or email.
2. A slightly better way to ensure requests for images originate from your own site is to set up a mod_rewrite in your .htaccess script (this is how some sites were famously able to substitute the well-known goatse.cx image for their real images whenever someone tried hotlinking them). However, not all web hosts offer access to .htaccess, and even fewer webmasters know how to set it up. Finally, it too can be circumvented by a determined image bandwidth thief.
I might add that the best way I've found to protect images from bandwidth theft is to bury them as binary data in a SQL database, and embed them into a page on-the-fly using PHP. Thus, any access to an image requires a login to the database plus a valid session id. As to why this hasn't been more widely adopted: 1) it's a lot more work than just using <img> tags and 2) a lot of people probably haven't figured out that, or how, you can do it that way.
This is why you don't include external media on your website/email, in case someone exchanges that for something malicious. In this case vice-versa .
What are the chances of any Government department in UK
on the ball enough to do this? I suspect very low if not outsourced IT (lower if)
What i cant get is:
All i do is out the pointer over the "click here to enter details" and i can then see the real address which clearly isn't anything to do with tax etc.
Perhaps we should educate users into doing this rather than spending millions of pounds, euros, dollars etc on things like image poisoning. The scammers will adapt but they cant hide a genuine URL...
Now scammer will have to host their own copies of the pics instead of directly linking to the original source.
Still a good idea to defuse the current wave of scam though. Looks like German gov IT are not as useless as in some other countries #cough#
And at least, that will cost the scammers more bandwidth, so a thumb up.