Phishing and the threat to corporate networks.
Phishing, an increasingly common form of online theft, is the act of tricking computer users into handing over control of their online accounts using, typically, a combination of forged e-mail and web sites. "Phishing" is a hackers' term that comes from the seam's parallels with fishing, with the fake e-mails and web site acting as the "bait", and the victims' accounts as the netted "phish." Phishing is done by spamming out authentic-looking c-mails that claim to come from a well-known financial or e-commerce institution such as Citibank, PayPal, eBay or America Online. These e-mails contain different messages, but usually follow the same formula: the recipient is asked to click on a link contained within the message, taking them to what appears to be a legitimate web site. In fact, the web site is a clever forgery, often virtually indistinguishable from the real thing.
The senders of these phishing attacks know that the vast majority of recipients will have no dealings with the organization named in the e-mail and disregard it. However, for the phishers, the probability that a small percentage will be account holders at the targeted organization makes it worthwhile. Even if only a tiny percentage fall prey to the trick, the phishers can make a significant amount of cash while the site is up and running--most phishing sites last only a few days before being shut down. Considering the low cost of setting up a web site and sending out thousands of e-mails, only a few victims are needed to turn the trick into a profitable scheme. Phishers are able to convince up to 5 percent of recipients to respond according to the Anti-Phishing Working Group, an industry association formed to fight the problem of phishing and e-mail spoofing.
An International Crime
Once the victim has entered their data onto the fake web site, the phishers can use it as they please. The usual goal is to clean out the account, but there are many other uses for the seam. Depending on the type of account which has been compromised, it can be used to help phishers commit further fraud or gain unauthorized access to networks. International phishers may find it hard to move stolen money out of a country without leaving a trail, so further spam e-mails may be sent to help them recruit "mules"--computer users who are promised a fee in return for allowing money to pass through their account. Sophos has reported on a seam in which innocent people were being asked to help phishers move their funds, under the guise of a money-making opportunity.'
Why Businesses Are Vulnerable
Phishing represents one aspect of the increasingly complex and converging security threats facing businesses today. The methods used by spammers have become more sophisticated, and spam is now increasingly combined with malware (malicious software) and used as a tool for online fraud or theft, or to propagate malicious code.
This convergence is well illustrated by the use of malicious code by phishers. Sophos has reported on one example in Brazil, where 53 people were arrested on suspicion of remotely installing Trojan horses on users' computers without their knowledge. The Trojans ran in the background, monitoring the users' login details when they visited certain online banking sites, and secretly passed the information on to thieves. (2) This is an example of phishing without using a forged web site--all that is needed is a spare e-mail which attempts to install the malicious code secretly. Another phishing technique, also reported in Brazil, involved using a secretly installed Trojan to redirect an affected user's internet browser to a phishing site, even when the legitimate URL of the online bank was typed into the address bar. (3)
So phishing can be considered a combined threat, part of a fast-changing and increasingly complex threat environment facing networks, and can encompass spam and various kinds of malware. However, it is a threat to businesses in its own right. Although phishing generally targets consumers, smaller businesses may be at risk, particularly where the corporate accounts are controlled by one or two people who may not have a great deal of technical knowledge. Larger organizations are not as likely to fall victim to an e-mail scam, but it is clearly preferable for employees to be protected from fraud attempts arriving in their inboxes via the corporate network.
It is therefore important that businesses use an integrated, robust solution to defend their e-mail gateway from spam such as phishing attacks and the many other varieties of e-mail-borne security threat.
A Growing Threat
There has been a surge in the number of reported phishing attacks. According to the Anti-Phishing Working Group, the number of phishing incidents rose by 4,000 percent between November 2003 and May 2004. A survey released by research group Gartner in May 2004 revealed that at least 1.8 million consumers had been the victims of phishing attacks, most within the past year. (4) Another report in October 2004 by research group IDC cited phishing as one of the fastest growing non-violent crimes in the Asia-Pacific region. (5)
How To Avoid Being Phished
There are several ways in which the chances of a successful phishing attack on an organization's IT infrastructure or a personal computer can be minimized. Careful checks and the exercise of caution when dealing with online accounts is vital.
Reputable companies do not ask their customers for passwords or account details in an e-mail. Even if you think the e-mail may be legitimate, never respond--contact the company by phone or by visiting their web site. Be cautious about opening attachments and downloading files, no matter who appears to have sent them. Many tricks are used to fool computer users into thinking they are reading a genuine e-mail--using the graphics, fonts and logos found in genuine e-mails from the targeted organization is common. These tricks are designed to lull the recipient into a false sense of security, but it can be difficult for even the most wary user to spot a forged e-mail. In a test of 200,000 e-mail users, fewer than 10 percent were able to distinguish phishing messages from legitimate e-mail all of the time. (6)
Aside from the appearance of the e-mail, phishers use sophisticated social engineering techniques to lower the recipient's guard. Messages often include an urgent call to action, perhaps claiming that "your account may have been accessed by unauthorized persons", or claiming that the recipient has won a prize. Some even pose as a warning against phishing.
Visit Banking And E-commerce Web Sites By Typing The URL into The Address Bar
Many reputable companies, including Sophos, provide links in customer e-mails, for example with links to news stories. The important factor to look out for in phishing attempts is the request for personal confidential data. However, if you suspect an e-mail from your bank or online company may be false, do not follow any links embedded within it--type the real address instead. Various tricks are used to dupe recipients into clicking on a phisher's URL.
One of the simplest is to make the phishing URL closely resemble the legitimate one, for example by adding a hyphen, a dot or using a different domain name. Another technique involves making the bogus link exactly resemble the real one. In an HTML e-mail this is relatively simple to do--standard HTML code can be used to make the text of the link say anything, regardless of where it actually leads to. One way to check that a link is not misleading is to look at the URL displayed in the bottom of the browser frame (status bar). However, only a certain number of characters can be displayed. This means that if a long enough URL is used, it can be disguised by starting it off with what appears to be a legitimate address and placing the "active" part--which actually directs the browser to the take site--at the end of the string and hidden from view. An example might be: firstname.lastname@example.org. In this example, all that would be visible in the status bar would be www.anybank.com followed by some of the extra characters.
These issues were addressed in a Microsoft Critical Update in February 2004, but unpatched browsers are still vulnerable. A vulnerability also exists in some Internet Explorer and Mozilla browsers which (if unpatched) allow the legitimate web site's URL to be displayed in the address bar even when the phishing site is being viewed. (7) So it is important to keep software updated with security patches. However, even patched browsers may still have as-yet undiscovered vulnerabilities or flaws that phishers could exploit.
Check That The Web Site You Are Visiting is Secure And Legitimate
Before submitting your bank details or other sensitive information there are some visual checks that you can do. For example, to help ensure the site uses encryption to protect sensitive data:
* Check the web address in the address bar. If the web site you are visiting is on a secure server, it should start with "https://" ("s" for security) rather than the usual "http://".
* Look for a lock icon on the browser's status bar. You can check the level of encryption, expressed in bits, by hovering over the icon with the cursor.
However, it should be noted that both these indicators show only that the data is being encrypted before transmission; they are not a guarantee that the web site itself is legitimate--phishing sites can be set up on secure servers too.
You can also check that the URL you see in the address bar corresponds with the actual URL of the web site you are visiting by checking in the properties. To do this in Internet Explorer, right click with the mouse on the web site, select "properties" and compare the URL displayed in the pop-up box with the one shown in the address bar. By making sure that the two URLs correspond, you can also help protect against another favorite trick used in phishing sites. It makes the forged site look like a pop-up window and opens it up with the real web site in the background. When the requested data has been entered, the victim is transferred over to the real web site, completing the illusion that nothing illegal has happened.
Keep A Regular Check On Your Accounts
Regularly log into online accounts, and check statements. If you see any suspicious transactions, report them to your bank or relevant company.
Be Cautious With E-mails And Confidential Data
Most banks have a security page on their web site with information on carrying out safe transactions, along with the usual advice relating to confidential data: never let anyone know your PINs or passwords, do not write them down, and do not use the same password for all your online accounts. Avoid opening or replying to spam e-mails as this may give the sender confirmation that they have reached a live address. Use common sense when reading e-mails. If something seems implausible or too good to be true, then it probably is.
Always Report Suspicious Activity
If you receive an e-mail yon suspect is not genuine, forward it to the organization it fraudulently claims to have come from. Many companies have a dedicated e-mail address for reporting such phishing attempts. Legislation against online criminals is having an effect. There have been arrests of suspected phishers in several countries, including the UK and Brazil, while in Australia an e-mail scammer who stole millions of dollars in an e-mail fraud was sentenced to five years in prison. (8)
Keeping Computers Secure
The threat of Trojans being used in phishing attacks raises the possibility of a "backdoor" being opened to allow attackers access to the affected computer or network. To combat this, installing a personal firewall will provide some measure of protection. As we have seen, keeping operating systems up to date with the latest security patches is also important in countering some of the phishing tricks already described, such as disguising headers and URLs. However, firewalls and patches will not stop users entering their details onto a forged site if they have been duped, and will not protect against the discovery by phishers of any further vulnerabilities in the future.
Using sender-authentication technologies may also help reduce the effect of phishing attacks. One such method is Sender Policy Framework (SPF). Under SPE organizations publish lists of servers which are allowed to send e-mails on their behalf. Any e-mail which claims to come from an organization but does not originate from a server on its "approved" list can therefore be rejected. While SPF and other sender authentication technologies are fairly new, they have the potential to make phishing far more difficult since--in theory at least--phishers will only be able to send their spares from "unapproved" domains. The challenge with authentication alone is that while a recipient may be able to verify that a sender's address is not spoofed, the recipient also needs to know if they actually trust messages from that domain, and that it is not, for example, used by a known spammer.
Organizations that choose a security solution which is backed by 24-hour global anti-virus and anti-spam labs are in the best position to protect themselves reliably from rapidly evolving combined threats such as phishing and other attacks. The most important step a business can take is to use an integrated gateway security solution to protect its IT infrastructure.
For more information visit www.sophos.com.
1. www.sophos.com/spaminfo/articles/phishrecruit.html ["Phishers recruit UK computer users into stealing money, 'Don't be a mule' says Sophos," 3 November 2004].
2. www.sophos.com/virusinfo/articles/brazilarrest.html ["53 arrests as Brazil cracks down on phishing Trojan authors, Sophos comments on online bank fraud," 21 October 2004].
3. msnbc.msn.com/id/6416723 ["A new, more sneaky phishing attack". By Bob Sullivan, 5 November 2004].
4. msnbc.msn.com/id/5184077 ["Survey: 2 million bank accounts robbed". By Bob Sullivan, 14 June 2004].
5. www.idc.com/getdoc.jsp?containerId=AP223108L ["Security Threats in Asia/Pacific (Excluding Japan) 2004"].
6. www.informationweek.com/showArticle.jhtnfl?articleID=48800408 [Deceptive E-Mail Could Cost Consumers $500 Million, Study Finds". By Thomas Claburn, 30 September 2004].
7. www.millersmiles.co.uk/identitytheft/phishing.html ["Spoof E-mail Phishing Seams and Fake Web Pages or Sites". By Mat Bright, 23 February 2004].
8. www.sophos.com/spaminfo/articles/marinellis.html ["E-mail scammer who stole over 2 million [pounds sterling] sent to jail, Sophos reports," 8 November 2004].
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||selected topic|
|Date:||Feb 1, 2005|
|Previous Article:||Creditors say they suffer while trustees and attorneys reap the benefit of bankruptcy preferences.|
|Next Article:||Hot spots: United Arab Emirates.|