Will have ‘minimal impact’: Ed Dubrovsky, chief operating officer of incident response firm Cypher, is skeptical of the effectiveness of court action. Phishing-as-a-service operations don’t have to be on American soil, he explained, so court orders and legislation will likely have minimal impact on smishing or phishing attacks.”However,” he added, “I can understand that even small steps can lead to broader impact, and that might be why Google is taking these steps.”But this and similar court actions won’t change threat actor behavior or the need for IT departments to have controls to face cyber risks, he said.Kellman Meghu, principal security architect at Canadian incident response firm DeepCove Cybersecurity, believes Google and other tech firms around the world are looking to the courts and legislatures in part to stop scams, but also to protect themselves from being sued if they can shut down a criminal online service.”The reality now is that there is very little to no risk to running scams,” he told CSO in an email, “since the chance of suffering any ramifications is barely a reality. [Running a malicious online operation] gives attackers the chance to just keep trying things until eventually something works. Driving real legislation and legal impacts that can span borders would be very valuable to reduce this threat, if in fact they can build legislation that is effective, and could go a long way in reducing the risk of constant attempts to compromise users.”But global efforts to fight cybercrime can only be effective if tech companies around the world work with governments to share information on cyber crime, he added.However, he doubts many competitive technology suppliers would join an effort because they have a vested interest in saying that they are safer, better, faster than the competition, so they can sell more services.
‘Any reduction in scams would help IT departments’: Johannes Ullrich, dean of research at the SANS Institute, said Google has a huge problem with scammers paying for ads that direct victims to fraudulent websites and malware. “Any reduction in these scams would be a significant help to IT departments,” he said, “making it easier to defend networks against these scams.”The proposed US legislation doesn’t necessarily add any substantial new barriers for scammers, he added, but it would provide more funding for state and local law enforcement agencies that are often overwhelmed by complaints from victims of cybercrime.On the other hand, he argued that robocalls could be fought more effectively by telecommunication providers, without new legislation, and they have taken some steps to do so.The issue of scam compounds is likely not going to be significantly affected by any legislation, as they are too ephemeral and agile and would easily evade sanctions, he added.”Among the issues mentioned, the paid-for Google ads advertising malicious resources is by far the most significant problem for security teams,” Ullrich said. “Google must step up its game in blocking them, and finding legal ways to eradicate the origin may be more effective than the current ‘whack the mole’ tactic, which is not working.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4088993/google-asks-us-court-to-shut-down-lighthouse-phishing-as-a-service-operation.html
