A world wide phishing attack on carbon emissions trading registries forced registries in nine countries to shut down, while in other countries trading was temporarily suspended. Fake registries (phishing sites) were set up by a group of criminals who then sent out messages to thousands of users in different companies, making off with about 250,000 emissions permits, worth over 3 million Euros ($4.1M, £2.6M).
Taking a quick look at several of these emissions trading registries’ websites (DEHSt, DEFRA, ETR.ie, etc.), it appears that SSL certificates is the limit of security on all of them. While the banking industry is generally perceived to be very conservative when it comes to adopting new technologies, in the past several years a large number of banks chose mutual authentication technologies as an effective and low-cost solution to fight phishing. As criminals learn about new schemes where social engineering can turn into profit, they will pursue other industries that will be vulnerable and that have not adopted safe login mechanisms.
The moral of the story? Mutual authentication isn’t just for banks. Companies in other industries need to anticipate cyberthieves just as much as banks do. What’s next?