SUBSCRIBE NOW!

Vol. 22 No. 6 — June 2005

Phishing has become the most prevalent Internet security threat in the past year, according to Chris­topher Faulkner, CEO of Dallas-based CI Host, the nation’s fifth-largest company. CI Host reported that the number of phishing attacks against its customers grew more than 1,500 percent last year.

“It’s the No. 1 scam on the Internet right now,” Faulkner said. “Someone can get up in the morning, copy [a targeted company’s] Web page, develop e-mails, and blast them out before he goes to lunch the same day.”

Pharming, one of the newest ways that criminals are trying to gain access to individuals’ Social Security numbers, bank accounts, and other personal information, first started to appear early this year, according to Scott Chasin, CTO of Denver-based MX Logic, Inc., which provides e-mail protection systems. (Some publications credit Chasin as coining the term “pharming.”)

Capturing Customer Data

Phishing is when a perpetrator casts a “lure” to obtain customer data, Chasin explained. In pharming, no lure is used. Instead, the criminal harvests data, much like a farmer harvests crops. Pharming is one of the top Internet crimes in the U.K., according to Faulkner.

Pharming happens in one of two ways:

• The criminal infects a computer (a home or business PC) with malware (malicious software designed to damage a system) that automatically redirects the browser to a site that looks like the legitimate one, complete with initial links—including the ones asking for an account holder’s information.

• The criminal “poisons” a DNS (Domain Name System), causing it to redirect incoming browsers to copied sites that appear to be trusted bank or e-commerce sites. (eBay is one of the most phished/pharmed sites every month, according to several industry reports.) This method of pharming is more difficult to do and requires additional technical expertise.

Spim is basically a spam attack that uses an instant messaging service. Like spam, the people conducting spim attacks use bots, or robots, to automatically generate random messenger names. There were 300 million attempted spim attacks in 2003, a figure that grew 400 percent in 2004, according to Faulkner, who predicted a continued rise in the number of attempts this year.

Many Reasons for Growth

Spim continues to grow because the instant messaging services available from AOL, Yahoo!, Microsoft, etc., are inherently less secure than traditional e-mail, according to Dave Mason, host of a Tucson, Ariz.-based radio program that discusses various computer-related issues.

Regardless of their anti­-fraud defenses, companies with good brand awareness tend to be the focus of many attacks, according to Beth Robertson, senior analyst for Tower Group, a research and consulting firm located in Needham, Mass. Attackers are more likely to get a “hit” if they send millions of e-mails seeking information to Washington Mutual customers than if they send e-mails to customers of small rural banks. Even so, Robertson pointed out that the criminals are constantly honing their phishing techniques, so it won’t be long before their attempts move from a national scope to more targeted, localized attacks.

Technology experts say there are several factors contributing to the growth of these attacks. According to the Anti-Phishing Act of 2005 (which was introduced in the Senate on Feb. 28 by Sen. Patrick Leahy, D-Vt.), organized crime is now allegedly involved and is using sophisticated methods to mount attacks in new, hard-to-detect ways. Also, perpetrators of these crimes typically use a decentralized approach, with one party holding customer information, another originating the initial messages, and still another handling any cash that’s illegally obtained.

Then, there’s the lack of enforceable laws, although it’s not that laws aren’t on the books. The problem is that many of these attacks, if they can be traced at all, originate overseas where there isn’t proper enforcement to give the laws any teeth, according to Fran Maier, executive director and president of San Francisco-based privacy solutions provider TRUSTe.

There was, however, one notable exception in Brazil recently. A gang was apprehended in April after allegedly stealing an estimated $37 billion from online banking accounts by recording and relaying the victims’ passwords and logins to their own accounts. But again, this was an exception, and not the rule.

Technologies, Customer Awareness to the Rescue

Despite these alarming numbers (which many technology analysts expect will increase before falling off), there are several ways that information professionals can protect their companies and customers. The phished/pharmed/spimmed business is rarely held responsible, although there are some exceptions overseas. Yet, the loss of business and reputation that often follows an attack can be significant.

“Technology will have the most impact over the short term,” Chasin said. But experts agree that any technology should be used in conjunction with internal and external security efforts. Companies that are most effective in fending off attacks are those that follow several best practices in technology, policies, and procedures.

“We’ve seen [targeted] companies set up a department to handle these attempted attacks,” said Craig Sprosts, senior product manager at IronPort Systems, Inc., an e-mail security tools provider located in San Bruno, Calif. “As soon as [an attempt] is identified, they react quickly to figure out where the [fraudulent] sites are located so they can be shut down quickly.”

Mason recommended that companies join forces with industry groups, Internet service providers (ISPs), and other interested parties to fight these attacks. Some of the most phished companies have worked with ISPs to develop e-mail filters that track a company’s registered DNS addresses. If an e-mail carries a company’s identification but doesn’t come from a registered mail server, the ISP can either destroy the e-mail immediately or hold it for the company to review, according to Mason. ISPs are in the early stages of using this technology, according to Sprosts.

Educating the Consumer

One of the most important ways to deter the effectiveness of national or local attacks, according to Robertson, is to educate consumers about these crimes and teach them to protect themselves. For example, several financial institutions have informed their customers that they won’t ask for personal or account information via e-mail. Any account discrepancies will be handled via traditional mail.

Mason goes one step further. He said that companies that want to protect their customers from these attacks should not only send e-mails, but do so with regular frequency. Otherwise, these warnings run the risk of getting lost in the glut of messages that people receive every day. Mason also recommended that companies use other forms of communication to alert customers to the dangers of phishing, pharm­ing, and spim.

“Don’t have the technology people write these notices,” Mason advised. “They need to work with the marketing department. Use radio, television, and print in addition to e-mail.”

Several companies also offer authentication tools to help customers positive­ly identify a company’s Web site. If the customer is at the legitimate site, there will be an identifying icon at the bottom of the page.

What’s in a Name?

Robertson also recommended that companies own not only their own domain name, but also any similarly named domains. (For example, if your company’s url is http://www.abcbank.com, then you should also own http://www.abcbunk.com.)

Companies with the best defenses are also subscribing to services that detect fake Web sites and monitor the Internet for phishing, pharming, and other threats. Attackers tend to use only a handful of programs to copy sites, and there are programs that can detect when these site-copying applications are in use.

Companies are also using ISPs that employ anti-pharming, anti-spam, and similar security tools. While most of the largest ISPs have sophisticated security measures, many of the smaller ones do not.

And remember, even though law enforcement might be unable to shut down a phishing site due to lack of jurisdiction, authorities should be notified as soon as any attacks or attempted attacks are detected, Robertson said.

Finding the Vulnerable Spots

Part of encouraging a safe environment is conducting internal security checks to detect vulnerabilities, such as unsecured ports, relays, etc. Companies such as CI Host protect against spim by steering away from the popular IM applications of Yahoo!, AOL, and MSN. Instead, they use lesser-known IM programs because they are less likely to be the targets of attacks, Faulkner said.

Faulkner also said that network administrators, rather than individual employees, should have control over author­ized IM preferences and settings. This allows only authorized messages to be sent via IM and only company-authorized contacts to send messages to employees, effectively blocking most malicious attempts. Although there’s still the chance a disgruntled employee working within the company would initiate an attack, limiting IM to text messages without ad­ded attachments or links can block even those attempts.

Security experts, however, point out that even the most vigilant companies must continue to monitor security threats and to adjust quickly to new forms of attacks. Phishing, pharming, and spim are still relatively new, but as soon as these attacks become more difficult, criminals will likely go on to something else. Faulkner pointed out that the amount of spam sent to his customers actually decreased in 2004, the first drop in 5 years. He credited the decrease to the use of better spam filters, which, he theorized, have pushed criminals to phishing, pharming, and spim, which have less-developed defenses.

Going Phishing

Here’s a list of March’s most-phished organizations:

1. eBay

2. Washington Mutual, Inc.

3. PayPal

4. Charter One Bank

5. KeyBank

6. Bank of the West

7. International Bank of Asia

8. Huntington Bank

9. Bank of Oklahoma

10. North Fork Bank

Source: IronPort Systems, Inc. (http: //www.IronPort.com) Threat Operations Center, March 31, 2005