Credit union websites hacked, host phish

In the past two weeks, Internet Identity has discovered two phishing sites that were hosted on legitimate credit union websites.  Neither phishing site was targeting the credit union where it was hosted; instead, the sites were targeting multi-national banks.  However, there was nothing to prevent the phishers from targeting the CUs whose sites had been hacked.

Upon discovering the sites, we immediately notified the FBI and Secret Service.  We then contacted the compromised institutions.  In one case, involving a Wisconsin-based CU, the CEO we spoke to didn't believe the compromise was her problem, rather it was her web host's problem.  She also suggested that our call, and the call she had received moments earlier from the FBI, were actually being made by the criminals!  Fortunately, the FBI received much better cooperation from the site host and was able to get the site taken down quickly and collect good evidence.  

These cases point out two issues.  First, your site is your responsibility, even if you outsource the hosting of it.  After all, it is your name on the site, not the web host's.  So you need to make sure your web hosting provider employs strong security practices.  Second, many of your peers that have not been attacked by phishing remain dangerously ignorant about what it is and how it impacts them and your industry as a whole.  It would be a bold phisher indeed to call a financial institution claiming to be the FBI or a security company, yet this incident is not the first time we've gotten such a reaction.

Internet Identity strongly recommends to our clients that you educate and inform your peers about phishing.  Just as educating your customers is a key component in your anti-phishing efforts, so too is educating your peers.