IT tackles phishing

This article has been modified from its original version. Certain quoted material has been removed because its veracity could not be confirmed.

One of the oldest cons in the book, the confidence scam, has a new name: phishing. And it’s putting IT on alert because of its potential to damage online business communications and compromise the datacenter.

Phishers use spam to direct their victims to Web sites designed by thieves to resemble legitimate e-commerce sites. Who hasn’t received an urgent e-mail from a phisher masquerading as a trustworthy representative from PayPal or eBay and threatening to terminate your account unless you go to a bogus Web site and hand over personal information?

Many have wised up. But according to the Anti-Phishing Working Group, nearly 5 percent of recipients respond to phishing — a far greater rate than the less than 1 percent who respond to run-of-the-mill spam.

Phishers are employing increasingly sophisticated techniques, such as malicious code buried in images, keystroke-logging applications that download as soon as an e-mail is opened, and spoofed Web sites that look totally legitimate — right down to the “security” padlock in the browser. One fear is that, as phishing scams get slicker and more people get duped, customers will throw up their hands, shop offline, and send business-related e-mail straight to the delete folder. Wary end-users don’t bode well for electronic bill paying and e-mail advertising, either.

“If consumers ignore communications from businesses and shy away from using online services, it will have a very negative impact” on the enterprise, observes Gregg Mastoras, senior security analyst at security solutions vendor Sophos.

Security experts expect the problem to get worse in 2005, touching almost every enterprise.

Because phishing is a main artery for identity theft in an era of widespread data consolidation, it’s expected to spur more hacking attempts against the datacenter.

Click for larger view.

“The stakes are lot higher,” notes Prat Moghe, CEO of Tizor Systems, which is developing an enterprise security monitoring product. Moghe thinks phishing scams will soon focus on large-scale identity theft from enterprise databases. The stolen information can then be used as bait for targeted phishing schemes. For example, sending spam to a list of customers who are known to use a specific bank is more efficient and — at least in theory — more effective for phishers than random mailings are. Simply put, they want in.

“To phish, you need a hook,” Moghe says. “The hook for massive information theft is insider information. Once thieves get inside the database, masquerading as real users, the haul can amount to millions of cases of identity theft. Information theft scams are becoming more and more sophisticated, and identity theft from inside large databases will only increase.”

Phishing season is officially open; the good news, however, is that many of the same security measures that protect against viruses can shield the enterprise from phishers.

Live Bait