I've written in the past about how phishers and other online scammers are attaching themselves to topical items like tax season and holiday shopping. Well, now it looks like March Madness is the latest victim.
That makes all the sense in the world. These fraudsters are trying to trick Internet users into giving away information or giving malware access to their systems. Originally it was a matter of spoofing someone's PayPal or bank account. As the users have gotten wiser (although these workhorse counterfeits are still happening in huge numbers) the attackers have constantly sought green fields. One consistent technique is to take the prospective victim out of the context in which he is looking for a scam. Your bank account is too suspicious? No problem. How about your utility bill or your favorite e-commerce site or your wireless phone service? Account lockout is too obvious? Okay, we can go with March Madness or tax filing or election fundraising or Halloween. We saw them with Katrina and Rita. We saw them with the tsunami.
This trend I'm sure will continue. We will continue to see tailored exploits using whatever is in the news this month.
The solution of course is to definitively know who is operating any given site. If all consumers were looking out for this information and if all sites were using something like EV SSL today, these techniques wouldn't work any more. Instead they're rife. They're growing.
So what do we need to do? It's really up to the sites. Over 70% of client systems on the Internet are enabled for EV today. That's a very high figure. While site adoption has grown very quickly as well, it's far behind client systems. Those organizations that make the rules for the sites can help drive this process. They can take their cue from the IRS and require EV on sites that ask consumers for information or that ask them to download applications, updates, or codecs.