This article has been modified from its original version. Certain quoted material has been removed because its veracity could not be confirmed.
One of the oldest cons in the book, the confidence scam, has a new name: phishing. And it’s putting IT on alert because of its potential to damage online business communications and compromise the datacenter.
Phishers use spam to direct their victims to Web sites designed by thieves to resemble legitimate e-commerce sites. Who hasn’t received an urgent e-mail from a phisher masquerading as a trustworthy representative from PayPal or eBay and threatening to terminate your account unless you go to a bogus Web site and hand over personal information?
Many have wised up. But according to the Anti-Phishing Working Group, nearly 5 percent of recipients respond to phishing — a far greater rate than the less than 1 percent who respond to run-of-the-mill spam.
Phishers are employing increasingly sophisticated techniques, such as malicious code buried in images, keystroke-logging applications that download as soon as an e-mail is opened, and spoofed Web sites that look totally legitimate — right down to the “security” padlock in the browser. One fear is that, as phishing scams get slicker and more people get duped, customers will throw up their hands, shop offline, and send business-related e-mail straight to the delete folder. Wary end-users don’t bode well for electronic bill paying and e-mail advertising, either.
“If consumers ignore communications from businesses and shy away from using online services, it will have a very negative impact” on the enterprise, observes Gregg Mastoras, senior security analyst at security solutions vendor Sophos.
Security experts expect the problem to get worse in 2005, touching almost every enterprise.
Because phishing is a main artery for identity theft in an era of widespread data consolidation, it’s expected to spur more hacking attempts against the datacenter.
“The stakes are lot higher,” notes Prat Moghe, CEO of Tizor Systems, which is developing an enterprise security monitoring product. Moghe thinks phishing scams will soon focus on large-scale identity theft from enterprise databases. The stolen information can then be used as bait for targeted phishing schemes. For example, sending spam to a list of customers who are known to use a specific bank is more efficient and — at least in theory — more effective for phishers than random mailings are. Simply put, they want in.
“To phish, you need a hook,” Moghe says. “The hook for massive information theft is insider information. Once thieves get inside the database, masquerading as real users, the haul can amount to millions of cases of identity theft. Information theft scams are becoming more and more sophisticated, and identity theft from inside large databases will only increase.”
Phishing season is officially open; the good news, however, is that many of the same security measures that protect against viruses can shield the enterprise from phishers.
Like computer viruses, phishing scams were originally launched by malicious hackers eager for bragging rights in the underground. The earliest scammers don’t appear to have done much damage. Things quickly got worse, though, to the extent that organized crime is now involved, according to the FBI’s Internet Crime Complaint Center (IC3).
According to Australian media reports, four high school students were recently charged with helping the mob drain millions of dollars from online bank accounts spanning from Australia to Eastern Europe. The criminals used bogus ads and spam to install Trojans that captured passwords and other bank details. The Australian teenagers were allegedly recruited to help transfer stolen funds into Eastern European-based bank accounts.
“Consumers have grown more educated about common phishing and identity theft,” says Sophos’ Mastoras. “Unfortunately, organized criminals are responding with more sophisticated techniques.”
These days, criminals aren’t just intent on clearing out entire accounts, they’re also out to drain data stores of log-in IDs, passwords, and other sensitive data to use for their next crime. Phishers want real payback and are going to great lengths to get it. Poorly conceived phishing scams, those with misspellings and peculiar English — when was the last time your bank called you “darling"? — are being replaced by technological tricks that often don’t even require the user to click on a URL.
A recent scam went live as soon as users opened a malicious e-mail in an unpatched or older version of Microsoft Outlook. When the often blank message was viewed, the computer’s host file was quickly modified by a bit of code in the e-mail. The next time individuals attempted to log on to their banking site, they were invisibly redirected to a bogus Web site. Few, if any, knew they were doing business with a server somewhere in Russia. The scam targeted customers of several financial institutions in Brazil and was soon followed by a similar attack against several British banks. Security experts expect to see variants in wide use soon.
“[Phishers] will … begin to target the customers of any business that has an online component,” says Natasha Staley, an information security analyst at MessageLabs, a provider of managed enterprise e-mail security solutions.
Phishing can also affect network security. For example, if users are allowed to choose their own log-in names and passwords, it’s likely they use the same ones on many networks. When phishers know John Smith logs in as Jsmith13 and uses the password “superman” at eBay, they’ll scour online postings and databases for more information about Smith. If they discover he works at your company, they can try to access your network by signing in as JSmith, superman.
When asked how best to combat phishing, experts are quick to cite user education. “It’s easy to dismiss user education as an exercise in futility, but we hear only about the failures,” says security consultant Robert Ferrell. Click for larger view.
The consensus is that warning about the evils of phishing won’t be enough. Security experts are urging businesses not to include clickable URLs in e-mail sent to customers.
“Adopt a policy of no embedded links, and make certain your customers are aware of this policy,” Ferrell says. “Bottom line: Let users come to you. Tell them where you are, but don’t send a car to pick them up."
Many companies are doing just that by corresponding through private message centers. eBay provides all users an inbox called My Messages housed on the company’s Web site. This is successful if customers tend to revisit your site often and you don’t stuff their message centers with unsolicited offers.
EarthLink and Comcast clearly spell out in customer e-mail — as well as on their sites — the types of information their technical support or accounting representatives will ask for, and they specify the channels through which such requests will be made. For example, EarthLink representatives may ask users for the last four digits of their Social Security number over the telephone or online before launching a live tech-support session — but never by e-mail.
For the long term, enterprises will need to agree on and deploy a universal, foolproof, easy way to authenticate legitimate e-mail. A trusted sender certificate that works with S/MIME, which is supported by most e-mail programs, could help to assure recipients that the e-mail they receive is legitimate and validated by an independent certificate authority.
But eventually Phishers are likely to find a way to hack the S/MIME certificate mechanism, just as they’ve managed to spoof other security certificates and the once-sacred padlock icon. According to experts, the ultimate answer to phishing is a global authentication standard that verifies that an e-mail has indeed been sent from its stated domain. They recommend that this e-mail “caller ID” be combined with strong authentication tools that integrate with Web browsers and alert users when they land on a spoofed Web site.
Meanwhile, IT should monitor attempts to register domain names that resemble legitimate corporate URLs. A common phishing trick involves setting up domains such as “paypaI.com.” (Look at that URL closely. Did you spot the spoof? If not, the lowercase L is actually an uppercase i.) Cyveillance is one company that will monitor attempts to register domain names that are too close for comfort.
If your company does become the target of a phishing scam in the United States, law enforcers urge you to contact your local FBI’s IC3 unit immediately. Complaints to an upstream ISP to get the phishing site taken down will be futile if the ISP makes most of its money catering to spammers and scammers.
Putting an alert on the front page of your company’s public-facing Web site and setting up an e-mail address for customers to report phishing attempts are other good ideas. Joining an industry group such as the Anti-Phishing Working Group or Digital PhishNet can be helpful, too.
In the end, all efforts will involve some measure of educating staff and end-users. “Hard as it may be to believe, there really are people who have learned not to click on attachments,” Ferrell says. “That said, you can’t upgrade common sense, and you can’t install intelligence. Humans will always be the weakest link in the system security chain."