Phishing nets are cast wide

Notorious criminal John Dillinger, when asked why he robbed banks, is supposed to have replied, “That’s where the money is.” Financial institutions, e-commerce sites and anyone who does any kind of monetary transaction on the Web are the primary targets of phishing scams, since it is within these institutions that customers have money.

Phishing is an online scam designed to entice and/or fool people into give up personal information that can then be used to access bank or other online accounts. Visa Canada and the RCMP estimate that 200,000 Canadians have been targeted by phishing scams and that last year some 13,000 Canadians were the victims of identity theft, at a cost of $21.5 million. According to a national study published in September by the Ponemon Institute and sponsored by NACHA, an electronic payments association and TRUSTe, an online privacy organization, 76 per cent of American consumers reported being victims of a spoofing or phishing attempt and that an estimated $US500 million was lost to such scams.

A major problem with information security is an over reliance upon passwords as a means of protecting personal information. Passwords, while convenient, are often too easily compromised unless a stringent set of policies defines how these should be used. Microsoft’s Bill Gates recently said companies must consider deploying such things as biometrics or smart card technology in order to improve security.

Several companies offer biometric products that can use fingerprints to authenticate a person’s identity: Rancho Santa Margarita, Calif.-based Security First Corp. offers several biometric keyboard, laptop and mouse optical fingerprint readers and silex technology america Inc., a U.S. subsidiary of silex technology Inc., entered into a new reseller agreement under which Fujitsu Microelectronics America Inc. will market silex’s fingerprint authentication products in North America.

Fremont, Calif.-based ActivCard Corp. showcased the ActivCard Token solution at the Cartes Trade show in Paris, a one-time password token solution for retail banking customers, aimed at combating phishing. The ActivCard Token comes on a key chain and generates a one-time passwords for secure, remote access to banking information. Microsoft is currently promoting its Sender ID solution as a way to add more comprehensive security for online transactions and to protect personal information. Sender ID verifies that every e-mail message originates from the Internet domain from which the e-mail claims to be from by checking the address of the server sending the e-mail against a registered list of servers from which the owner of the e-mail is allowed to send. If these don’t match, then the e-mail is not delivered. Phishing scams attempt to make e-mails appear as though they are sent from legitimate companies, when in fact these phishing e-mails originate from servers that have nothing to do with the company from which the e-mails claim to be.

The Financial Services Technology Consortium (FSTC), a group that builds alliances between financial institutions and technology vendors, has embarked on a counter-phishing initiative that will make technology solutions available that are designed to combat phishing. The goal is to publish a report that provides a taxonomy of phishing attacks and constructs a framework of tested solutions that companies can deploy.

Chuck Wade, project leader of the study, and an independent consultant with the Interisle Consulting Group in Boston, Mass., said no single technology or solution set can effectively combat phishing. He likens the situation to treating AIDS, where the virus is treated not with a single drug, but with a combination of drugs and many other treatments.

Right now, companies must deal with two kinds of phishing attacks: those involving e-mail and those that use some kind of virus or malware.

E-mail phishing scams are the most common right now. These range from the classic Nigerian e-mail scam — which tells people they can cash in on a supposed African fortune if they are willing to send money or open bank accounts to help unlock the frozen monies — to those that appear to be legitimate e-mails originating from banks or credit card companies threatening to close a person’s banking or credit account unless banking and other personal information is immediately provided.

Peter Cassidy, secretary general of the Anti-Phishing Working Group in Cambridge, Mass., an organization focused on monitoring and eliminating phishing and identity theft, said appromately 99 per cent of most phishing scams are of the classic e-mail type.

Banks and credit card companies today rely on customer education to help people identify these kinds of scams. Customers are told that bank or credit card companies would never send out an e-mail demanding personal information. But education doesn’t always work.

René Hamel, vice-president of computer forensics services with the Inkster Group in Toronto and a former RCMP officer, said it was not uncommon for people to fall for phishing attempts like the Nigerian e-mail scam, during the time he spent working for a major Canadian bank.

Usually the tip off is a customer who suddenly makes huge deposits in overseas accounts which have never been made before during that customer’s entire banking history.

“We knew right away that the customer was falling for it,” Hamel added. “We would call them and say, ‘Listen, this is a scam and you will be ripped off.’ You would think that if someone from your bank calls and tells you that you are about to get ripped off, that person would stop. But some would just go through with it, believing that they will make money.”

Hamel said banks use a variety of detection forensics to uncover suspicious transactions. Banks know, for instance, that customers using online banking will often do so only from a few locations, home and possibly work.

Banks will log the IP addresses of such online transactions and if there is a sudden flurry of online banking in a customer’s account from an unknown IP address, the bank may assume the account has been compromised.

Stuart McClure, senior vice-president of risk management and product development for McAfee Inc. in Mission Viejo, Calif., said if companies can obtain copies of the e-mails used in phishing scams then these can be traced back to the ISPs used to distribute the sham e-mails.

The goal is to get the ISPs to shut down or refuse access to those servers by the phishers. Do this enough times and phishers will know that the company is on to them and they will move on to somewhere else.

McClure also recommends that more companies should perform a ‘keep state’ on e-mails, matching the e-mail IP address to the company from which it is sourced in order to confirm the identity of the sender.

“Let’s say you get an e-mail and you see it is spoofed to CitiBank.com,” he said. “The idea would be to keep track of where that e-mail is (actually) coming from and where it supposedly coming from. We know what IP addresses are really associated with CitiBank.com and if the link (on the e-mail) is not actually owned by CitiBank, then you don’t allow traffic to go to that outbound link.”

What worries security experts is that e-mail phishing scams are being replaced with attacks that look to remove the human element as much as possible. The goal is to get personal information without the person targeted even knowing that the information has been taken. Cassidy pointed to a recent series of attacks mounted on Brazilian banks. Scammers created malware that compromised a computer’s host cache.

When online users typed in the bank’s URL, they were sent to a spoof Web site that closely resembled the bank’s online site. The spoof site would gather from the online user banking information, accounts and passwords to be used to access that person’s accounts. If the bank had tracked IP addresses, then alarms likely would have sounded.

“Another new trick is to embed a piece of Java script in an image that quietly downloads a key-logger that waits until you log onto a banking Web site, then monitors key strokes for passwords,” Cassidy said.

Even banking and transaction systems based on Linux, supposedly more secure and virus-proof, are not immune to this kind of phishing attack. On November 19, a supposed security bulletin circulated on the Internet telling Linux users to download a patch for a security hole. The patch turned out to be a back-door Trojan.

Phishing remains a major security threat. As long as there is money to be made, there will always be someone out there trying to get it.

Related Content

Security - Enlisting for the war on Internet fraud
While antivirus software has been doing much to reclaim the Internet for ordinary people, fears of identity theft through scams such as phishing and pharming (redirecting Web site traffic to a different bogus site) continue prevent many from conducting business online. Retailers, banks and most other organizations have a vested interest in making the Internet a safe place to do business, and some of that responsibility lies with the IT department.

Internet fraudsters enjoy boom in UK
Internet fraudsters have had another good year, according to the U.K.’s Association for Payment Clearing Services (APACS). The banking organization's latest annual figures show that card not present (CNP) fraud in the country has risen by 29 percent compared to 2004, reaching £90.6 million (US$175 million) in the six months to June this year. Of that, fraud specific to Internet transactions has risen by five percent, to £58 million.

One smart phish
The Internet has provided criminals with the opportunity to perpetrate a wide variety of scams on unsuspecting victims. Phishing represents one of the most complex and sophisticated security threats facing businesses today. It is imperative that CIOs take a proactive stance in defending against future attacks.