The sting that hit electronics retailer Best Buy on Wednesday hinged on a simple trick: e-mailing a link that seemed to go to the electronics retailer's site.
Instead, the click-through went to a phony look-alike where users were asked for vital personal information including credit card and social security numbers.
The debacle now has some concerned that online merchants make it even easier for fraudsters to hustle people with the redirect dodge by using odd domain names or using more than one. Best Buy's plight already has the sector rethinking their strategies.
"Businesses should stick with their key brand domain names," says Internet security expert Dave Nielsen, who operates the consumer information Website fightidentitytheft.com. "It's a bad idea to use cute domains for a promotion."
For example, Citibank uses the perfectly straightforward Citibank.com; however, its online marketing uses citicards.com - even though the user is automatically taken to Citibank.com.
Unfortunately, making changes is not so easy. A business may use an unfamiliar domain name because the most logical one is already taken, or because an outside company is handling registration or promotions, says content security consultant James Sinclair of Adhaero Technologies. He cites the example of United Airlines' Web site: www.ual.com. The airline owns United.com, but not united.biz nor united.net.
"They can't buy up every possible permutation," Sinclair told internetnews.com.
Still, Sinclair asks, does it have to redirect people who click on promotional offers to the very spammy-looking www.ua2go.com?
There's a similar dilemma with Sunnyvale, Calif.-based Internet media giant Yahoo!. Sinclair says Yahoo!'s practice of using naming conventions such as dailynews.yahoo.com and biz.yahoo.com is confusing enough that for the most part, users have easily accepted it as legitimate. While keeping domain name usage consistent may help, Sinclair says there are plenty of other tactics that can be used to deceive users. That is especially true when tricksters put the real business domain name in front of the @, followed by the IP address of the crooked site. When they see http://News.yahoo.com_:_daily_news@66.39.52.192, for example, Sinclair says many users assume they must be going to Yahoo's servers.
While there are hordes of vendors consulting on network security, merchants have few resources when it comes to finding the best practices for organizing their e-commerce, e-mail and online customer support operations.
The Internet Fraud Complaint Center, which lets victims file complaints electronically, has a single page of tips for consumers but no info at all for businesses. An FBI spokesperson did not return repeated calls, and a staffer at the FBI's press center could not identify any other resources available for merchants.
The non-profit Merchant Risk Council, established in 2000, (Its website whose URL doesn't match the organization's name) shows no evidence of activity by the group since early 2002, and it could not provide a spokesperson.
The leisurely pace of these organizations is no match for the speed of Internet hucksters, according to Nielsen and the response of businesses when they've been hit is often not much better.
"Something like [the Best Buy scam] only needs a day for the damage to be done," says Nielsen. "The old methods don't hit the mark."
Best Buy's e-mail warning to customers arrived in his inbox this morning, nearly two days after the company became aware of the problem. Nielsen calls that "weak."
