No matter how you look at it, phishing is bad news. Its destructiveness occurs on an individual level with a stolen identity, and on a societal level with the loss of trust. As one of the more potent methods of identity theft, phishing is unique in its ability to grow in sophistication. Unlike simple dumpster diving, where discarded mail becomes the lever for stolen identities, phishing continues to morph in order to get around security.
A phishing attack today now targets audience sizes that range from millions of email addresses around the world, to highly targeted groups of customers. Using multiple arbitrary attack methods such as man-in-the-middle attacks, key loggers, and even complete recreations of corporate Web sites, phishers easily fool customers into submitting personal, financial and password data.
Phishing attacks rely upon a mix of technical deceit and social engineering practices. In the majority of cases phishers persuade the victim to perform a series of actions that provide access to confidential information. According to a recent study by Gartner, 57 million US Internet users have identified the receipt of email linked to phishing scams, and about 1.7 million of them are thought to have succumbed to the attacks, divulging personal information.
The Anti-Phishing Working Group (APWG), composed of enterprises and vendors that work together to prevent phishing attacks, recently reported 13,141 phishing attempts in one month, a rise of 26 per cent over six months. Customers of banks and other financial institutions attracted 78 per cent of attacks.
According to the U.S. Federal Trade Commission, here’s how the identity theft numbers stack up on an annual basis:
• Number of victims: 9 million to 10 million nationwide
• Cost to businesses: $50 billion
• Average cost to consumers: 30 hours and $500 (for such things as phone calls, notary and mailing expenses, attorney fees and lost wages).
Anatomy of a phishing attack
Phishing scams have been escalating in number and sophistication with every month that goes by. A recent campaign of attacks exemplifies the creativity involved. Malicious software is secretly installed onto the user’s PC but no immediate actions are taken, so the user is unaware that the virus sits on his computer. As the user goes onto the Web, he enters the URL of his bank and the virus becomes active. The keylogger begins to record the keystrokes typed in, collecting them and sending them to a remote site. Criminals record the keystrokes used to type user IDs and passwords for accessing online bank and other confidential accounts.
Federal police in Brazil recently arrested a suspected leader of a gang that stole $37 million from its victims’ online bank accounts, using this type of scam. The gang stole from online banking customers using a Trojan horse sent to thousands of computers via email.
Keyboard logging and other eavesdropping software can be installed locally by cyberattackers (such as on a computer at a cybercafe or university computer room), or by viruses and worms that install the software over the Internet. Malicious software often arrives as Trojan horses, which look like legitimate applications and eavesdrop on user actions. The increasing incidences of these attacks raise concerns for a number of industries such as banks, healthcare providers, retailers, payment processors and universities.
The rise in phishing and other forms of online fraud presents huge challenges to any online business. The effects of online fraud are already damaging customers’ confidence in Internet transactions, a confidence that businesses have taken years to build.
What can be done?
Phishers have a large number of methods at their disposal, and there is no single solution capable of combating all of them. However, it is possible to prevent current and future phishing attacks by using a mix of information security technologies and techniques.
The threat of Trojans being used in phishing attacks raises the possibility of a “backdoor” being opened to allow attackers access to the affected computer or network. To combat this, installing a personal firewall will provide some measure of protection. Keeping operating systems up to date with the latest security patches is also important in countering some phishing tricks, such as disguising headers and URLs.
However, firewalls and patches will not stop users entering their details onto a forged site if they have been duped, and will not protect against the discovery by phishers of any further vulnerabilities in the future.
Using sender-authentication technologies may help reduce the effect of phishing attacks. One such method is Sender Policy Framework (SPF). Under SPF, organizations publish lists of servers which are allowed to send emails on their behalf. Any email which claims to come from an organization but does not originate from a server on its “approved” list can therefore be rejected. While SPF and other sender authentication technologies are fairly new, they have the potential to make phishing far more difficult since – in theory at least – phishers will only be able to send their spams from “unapproved” domains.
Financial service providers should look for solutions that prevent account takeovers and unauthorized fund transfers. Financial and other consumer service providers should deploy stronger access controls, according to the sensitivity of the applications. Many organizations are evaluating strong authentication solutions so they can provide greater assurance that only the authorized customers themselves are gaining access to their own accounts. Key criteria when evaluating such solutions are ease of use, portability, cost, security, manageability, and cross-channel utility. Recognizing the need to thwart password thieves but reluctant to roll out strong authentication, some financial sites have implemented special login interfaces that require clicks rather than keystrokes or convert static passwords to one-time codes.
Internet service providers and major online consumer service providers (with millions of online customers) should start offering user desktop protection by distributing third-party protection against malware and phishing attacks. Businesses and ISPs may take enterprise-level steps to secure against phishing scams, thereby protecting both their customers and internal users. These enterprise security solutions offer considerable defense against phishing and a multitude of other current threats.
Here are some other key methods of defence:
Gateway services: The enterprise network perimeter is an ideal place for adding gateway protection services that can monitor and control both inbound and outbound communications. These services can be used to identify malicious phishing content, whether it’s located within email or other communication streams.
Typical enterprise-level gateway services include anti-virus scanning used to detect viruses, malicious scripting code and binary attachments that contain Trojan horse software. Anti-spam filtering consists of rule-based inspection of email content for key phrases and words (such as Viagra), typically used to identify common spam, but also capable of stopping many forms of phishing attacks that are designed to look like normal spam. Content filtering inspects many types of communication methods (e.g. email, IM, AOL, HTTP, FTP) for bad content or requ