Phishing for your secrets

It’s reached the point where it’s not even a surprise. There was the usual e-mail from EarthLink with the usual clumsy English. When I expanded the headers, I found the usual spoofed IP address deep inside. Another day, another phishing e-mail.

I forwarded the e-mail to the Anti-Phishing Working Group (APWG) and to EarthLink for their consideration. Normally I would have erased the e-mail at that point, but just below it in my mailbox was an e-mail from the APWG about the latest phishing stats.

In case you don’t know what I mean by phishing, it’s an illegal practice in which criminals send out e-mails that appear to be from legitimate companies. The e-mails direct the unwary to what seems to be a legitimate Web site where the victim will be asked for information such as credit card numbers, user names and passwords, Social Security numbers, and the like. When obtained, this information is used for a variety of nefarious purposes.

What’s unsettling is the rate at which phishing is growing. According to a report just released by the APWG, phishing increased 52 percent in June since May of this year. What’s also alarming is that the practice is apparently working well enough that new phishing schemes and new fraudulent Web sites are increasing dramatically. Worse, phishers have gained a great deal of sophistication. For example, the bogus Web sites they use to entrap their victims may exist for only a few days before they’re harvested and moved.

“Web sites stay up only 2.25 days on the average,” says Dan Hubbard, director of security and technology research at Websense, a security products company. As big as the phishing problem is, Hubbard predicts that it will get much worse, and that it may not be long before it becomes a significant headache for IT departments.

After all, Hubbard says, it’s not difficult at all for someone to use the same phishing practices to get your employee user names and passwords. Suppose someone sent your entire employee list a spoofed e-mail that looked like it was from your CTO, asking them to visit a Web site that looked for all the world like an internal company site, but that really existed elsewhere, and requested they change their network passwords. You can imagine the chaos when users call up demanding to know why they couldn’t access the network (after all, they had changed their passwords, right?) while someone appearing to be your employee systematically loots your network.

There are things you can do to prevent this. The first is to make sure your network is protected against outside attacks. One favorite move for phishing is to turn an ordinary PC with an “always on” connection into a bogus server. The computers on your network are always on, right? Make sure you've got your firewalls and security systems patched and up to date.

Of course, you should also keep an eye on your Web servers, and use firewalls that can block phishing server access. But you must also train your employees not to blindly click on e-mailed links. Establish a policy that you will never ask for such information via e-mail. But you must act now before the problem gets out of hand. Enterprise phishing is now only in its infancy, but it’s sure to grow quickly.