In the last six months of 2004, Symantec Corp. detected 10,310 new phishing attacks, with an average of nearly 400 new attacks per week where victims are encouraged to divulge personal information or unknowingly place malicious code on their computers. During this period the number of phishing attempts being blocked by Symantec Brightmail AntiSpam antifraud filters rose from nine million phishing attempts per week in early July to 33 million messages per week by the end of December.
Phishing statistics returned from the Symantec Probe Network, a system of over two million decoy accounts that attract e-mail messages from 20 different countries around the world, are included for the first time in the latest financial services industry break-out of the Internet Security Threat Report which Symantec released in March.
In addition to gathering Internet-wide attack data for its biannual report, the Cupertino, Calif.-based firm recommends that enterprises whose end users may be targets of phishing attempts protect themselves primarily through the detection and filtering of e-mail at the server level via the Mail Transfer Agent (MTA).
The report notes that although this level of filtering will likely remain one of the primary points at which filtering is done for phishing, other attempts will be filtered utilizing upstream IP-based filtering as well as providing filtering for HTTP. DNS Block Lists (DNSBLs) offer general protection to IP addresses that have been subject to unwanted e-mail traffic, but frequently run the risk of false positives. Sender Policy Framework (SPF), domain keys, and other similar solutions will not provide useful protection.
Enterprises that consider their brand and customers at risk of being phishing targets should deploy technologies that monitor for fraudulent e-mail traffic purporting to be from their company, the report continues. They should use technologies that can block these e-mails at the ISP in order to prevent their customers from receiving potentially fraudulent messages. This will lower the risk that an enterprise’s customer will be victimized by phishing attempts.
Symantec claims its Probe Network attracts spam samples that are representative of over 250 million mailboxes. The report also cites a 77 per cent growth in spam for companies in the financial services industry whose systems were monitored by Symantec for spam during the last half of 2004.
Other attack activity targeting the financial services industry as detected by its Managed Security Services and its DeepSight Threat Management System between July 1 and December 31, 2004, reveals that five of the top attacks against financial services organizations use HTTP as an attack vector. Known as Web application attacks, they target applications or services that are conducted on or through HTTP. Symantec says these attacks are worrisome because they allow attackers to circumvent perimeter security measures, such as firewalls.
They may also provide attackers with good access to an organization’s confidential information. The top attacked ports in the financial industry show that attackers are targeting ports that make it difficult to determine an attacker’s source and methods.
Two of the top three attacked ports are UDP ports, which can allow attackers to spoof the source address. The top attacked port, UDP 161, contains a service that allows remote management of network devices. Symantec recommends that a concerted effort must be made to ensure that all network devices on a network have the service disabled or secured.