Phishing is no longer a nuisance crime. Sophisticated identity thieves are targeting customers of financial institutions
and high-profile e-tailers in big numbers--and starting to get big results.
Unlike spammers, phishers' messages aren't aimed at selling male enhancement drugs, cut-rate mortgages or porn. Rather, phishers use common spamming techniques to generate vast numbers of e-mails that lure customers to spoofed Web sites and trick them into giving up passwords, credit card numbers and other personal information.
The problem has exploded since Earthlink issued its first warning a year ago. E-mail security provider Brightmail (recently acquired by Symantec) reported it detected 2.3 billion phishing messages in February alone. A study released by Gartner Research in May estimates that 76%of all known phishing attacks had occurred since last December. The Anti-Phishing Working Group (www.antiphishing.org), an industry association of more than 200 organizations, reported 1,125 unique phishing attacks in April, up from 402 in March and nearly seven times the number reported in January. Citibank was the overwhelming target of choice, with 475 attacks against it in April alone, followed by eBay, PayPal, US Bank and Barclays.
The startling growth of this threat has given the bad guys a head start. Fortunately, there are steps you can take to protect your organization, combining innovative technology and proactive policies and processes.
Phishers follow the money, so it's no surprise that organized crime, based largely in Asia and the former Soviet Bloc, appears to be behind the surge of attacks.
"Online usage of financial service has grown dramatically over the last two years," says Naftali Bennett, CEO of Cyota, a provider of antifraud and security products. "The universe and size of reward for the fraudster has increased dramatically." Security providers have been quick to respond, offering new techniques and repurposing existing tools to address the threat.
In January, Cyota launched Cyota FraudAction, a modular suite of services that combats phishing attacks. At the core of FraudAction is Cyota's antifraud command center, which detects potential phishing attacks by analyzing data pulled in by various probes, decoys and several of Cyota's partners.
Cyota's analysts create damage assessment reports based on parameters such as the number of hits, quality of the e-mail and type of information the attacker is trying to obtain. This gives Cyota's clients an early warning so they can shut down the phisher's site and alert their customers and provides forensics data to aid in possible prosecution.
In May, MarkMonitor, an Internet brand protection and corporate domain registration specialist, announced Fraud Protection, which uses distributed honeypots and sophisticated baiting techniques to draw in and identify potential attacks. The firm monitors chat rooms, newsgroups and domain registries, processing the data through its correlation engines to determine potential threats.
MarkMonitor gathers data to help customers shut down attackers. It also provides evidence should the customers decide to prosecute.
Cyveillance, an online risk monitoring and management services provider, gives early attack warnings through its Cyveillance Intelligence Center Technology, which monitors hundreds of thousands of junk e-mails daily and cases the Web for potential attack intelligence.
Brightmail offers e-mail security products and services, including Brightmail Anti-Fraud, which leverages Brightmail's Probe Network, consisting of more than 2 million decoy e-mail accounts and antispam technology to detect spoofing attempts characteristic of phishing attacks. If fraud is detected, Brightmail creates rules to block subsequent spoofed e-mails from reaching customer accounts.
Numerous other vendors--such as Tumbleweed Communications, CipherTrust and NetIntelligence--feature antispam and e-mail filtering products and services and are good sources of phishing intelligence.
Tumbleweed founded the Anti-Phishing Working Group last fall. Membership is open to financial institutions, online retailers, law enforcement organizations and vendors.
Early warnings are good, but service providers have no control over how customers respond to spoofed e-mails. Since phishing attacks target customers at their homes and workplaces, it's critical to have a clear policy governing the solicitation of personal information. Many companies warn customers that they will never solicit authentication information through e-mail.
Make sure everyone in your organization is on the same policy page; imagine the damage if one of your divisions solicits personal information after your customers have been warned to watch out for it.
Consider these additional steps:
- Be proactive on your Web site. eBay and Earthlink provide customers with specialized toolbars that alert them when entering a suspected phishing Web site and direct them to a Web page with information about online scams. PayPal provides a link to its security site, which tells customers how to spot fraudulent e-mails.
- Monitor DNS registrations closely and subscribe to services, such as Netcraft, that alert you when someone registers a domain that matches certain criteria indicating a spoofed Web site.
- Move quickly to take down hijacked Web sites by alerting the host organization--often an ISP or university--that one or more of its servers has been compromised. You may have to call law enforcement if the organization refuses or is slow to respond. While domestic hosting services often cooperate, the task is more difficult when dealing with offshore ISPs not governed by U.S. law.
- Consider the use of digital signatures. Several products, including ZixCorp's ZixVPM and PostX's Trusted E-Business, provide secure e-mail services, and Tumble-weed's E-mail Firewall digitally signs outgoing mail based on policy. Digital signatures are entirely under the control of the sender and will serve the needs of high-end, technology-savvy customers. The education of uninitiated users is far more challenging, making this approach less practical for larger implementations.
- Don't depend on SSL certificates. That reassuring padlock symbol at the bottom of your browser window simply means there's an SSL connection; it doesn't confirm the identity of the connected server. The hitch is that IE allows plaintext certificates that can easily be used to forge the site identity.
- Make your organization an unattractive target. "Banks need to build a reputation in the fraudster community--'Don't mess with me,'" says Cyota's Bennett. "Be very aggressive in legal ways and take the counter-offensive."
If you still don't think phishing is a problem, consider what's at risk:
The Gartner study estimates that 30 million Americans have received a phishing attack, and about 3% (1.78 million) submitted personal and/or financial information. This percentage is likely many times greater than the response to typical spam messages and more than enough to assure phishers a high return on a minimal investment. Other sources say the response rate is as high as 5 percent.
There isn't enough evidence to accurately estimate how much money phishers net, but Gartner estimates the direct cost to companies was $1.2 billion in 2003, and, given the dramatic increase in attacks this year, it's easy to foresee growing losses.
In addition to direct losses, add downtime in the face of concerted attacks, the cost of issuing new credentials to customers who have been compromised, the security spending and potential liability, and you have the potential for a serious problem.
And, it's hard to put a dollar value on trust.
"Losses are high," says Mark Shull, president and CEO of MarkMonitor, "but the growing concern is having consumers reluctant to do business online."
About the author
Nalneesh Gaur, CISSP, is a manager with Accenture's Security Specialty practice.
This article orginally appeared in Information Security magazine