One of the oldest cons in the book, the confidence scam, has a new name: phishing. And it's putting IT on alert because of its potential to damage online business communications and compromise the datacentre.
"It's a shame this activity became known as phishing -- it's too cutesy," says Fredrick Pastore, an IT manager at a large Wall Street investment firm. "It should be identified by its real name: attempted fraud."
Phishers use spam to direct their victims to Web sites designed by thieves to resemble legitimate e-commerce sites. Who hasn't received an urgent e-mail from a phisher masquerading as a trustworthy representative from PayPal or eBay and threatening to terminate your account unless you go to a bogus Web site and hand over personal information?
Many have wised up. But according to the Anti-Phishing Working Group, nearly 5 per cent of recipients respond to phishing -- a far greater rate than the less than 1 per cent who respond to run-of-the-mill spam.
Phishers are employing increasingly sophisticated techniques, such as malicious code buried in images, keystroke-logging applications that download as soon as an e-mail is opened, and spoofed Web sites that look totally legitimate -- right down to the "security" padlock in the browser. One fear is that, as phishing scams get slicker and more people get duped, customers will throw up their hands, shop offline, and send business-related e-mail straight to the delete folder. Wary end users don't bode well for electronic bill paying and e-mail advertising, either.
"If consumers ignore communications from businesses and shy away from using online services, it will have a very negative impact" on the enterprise, observes Gregg Mastoras, senior security analyst at security solutions vendor Sophos.
Security experts expect the problem to get worse in 2005, touching almost every enterprise.
"We expect our company will be the target of a phishing attack in 2005," said Mark Merton, a network manager at a nationwide retailer that also sells online. "We already have employees who check the Net daily and alert us to any phishing activity that concerns us."
Because phishing is a main artery for identity theft in an era of widespread data consolidation, it's expected to spur more hacking attempts against the datacentre.
"The stakes are lot higher," notes Prat Moghe, CEO of Tizor Systems, which is developing an enterprise security monitoring product. Moghe thinks phishing scams will soon focus on large-scale identity theft from enterprise databases.
The stolen information can then be used as bait for targeted phishing schemes. For example, sending spam to a list of customers who are known to use a specific bank is more efficient and -- at least in theory -- more effective for phishers than random mailings are. Simply put, they want in.
"To phish, you need a hook," Moghe says. "The hook for massive information theft is insider information. Once thieves get inside the database, masquerading as real users, the haul can amount to millions of cases of identity theft. Information theft scams are becoming more and more sophisticated, and identity theft from inside large databases will only increase."
Phishing season is officially open; the good news, however, is that many of the same security measures that protect against viruses can shield the enterprise from phishers.
Live bait
According to Australian media reports, four high school students were recently charged with helping the mob drain millions of dollars from online bank accounts spanning from Australia to Eastern Europe. The criminals used bogus ads and spam to install Trojans that captured passwords and other bank details. The Australian teenagers were allegedly recruited to help transfer stolen funds into Eastern European-based bank accounts.
"Consumers have grown more educated about common phishing and identity theft," says Sophos' Mastoras. "Unfortunately, organised criminals are responding with more sophisticated techniques."
These days, criminals aren't just intent on clearing out entire accounts, they're also out to drain data stores of log-in IDs, passwords, and other sensitive data to use for their next crime. Phishers want real payback and are going to great lengths to get it. Poorly conceived phishing scams, those with misspellings and peculiar English -- when was the last time your bank called you "darling"? -- are being replaced by technological tricks that often don't even require the user to click on a URL.
A recent scam went live as soon as users opened a malicious e-mail in an unpatched or older version of Microsoft Outlook. When the often blank message was viewed, the computer's host file was quickly modified by a bit of code in the e-mail. The next time individuals attempted to log on to their banking site, they were invisibly redirected to a bogus Web site. Few, if any, knew they were doing business with a server somewhere in Russia.
The scam targeted customers of several financial institutions in Brazil and was soon followed by a similar attack against several British banks. Security experts expect to see variants in wide use soon.
"(Phishers) will ... begin to target the customers of any business that has an online component," says Natasha Stately, an information security analyst at MessageLabs, a provider of managed enterprise e-mail security solutions.
Phishing can also affect network security. For example, if users are allowed to choose their own log-in names and passwords, it's likely they use the same ones on many networks. When phishers know John Smith logs in as Jsmith13 and uses the password "superman" at eBay, they'll scour online postings and databases for more information about Smith. If they discover he works at your company, they can try to access your network by signing in as JSmith, superman.
Filleting phishers When asked how best to combat phishing, experts are quick to cite user education. "It's easy to dismiss user education as an exercise in futility, but we hear only about the failures," says security consultant Robert Ferrell. "Hard as it may be to believe, there really are people who have learned not to click on attachments. That said, you can't upgrade common sense, and you can't install intelligence. Humans will always be the weakest link in the system security chain."
The consensus is that warning about the evils of phishing won't be enough. Security experts are urging businesses not to include clickable URLs in e-mail sent to customers.
"Adopt a policy of no embedded links, and make certain your customers are aware of this policy," Ferrell says. "Bottom line: Let users come to you. Tell them where you are, but don't send a car to pick them up."
Many companies are doing just that by corresponding through private message centres. eBay provides all users an inbox called My Messages housed on the company's Web site. JPMorgan Chase does the same. This is successful if customers tend to revisit your site often and you don't stuff their message centres with unsolicited offers.
EarthLink and Comcast clearly spell out in customer e-mail -- as well as on their sites -- the types of information their technical support or accounting representatives will ask for, and they specify the channels through which such requests will be made. For example, EarthLink representatives may ask users for the last four digits of their Social Security number over the telephone or online before launching a live tech-support session -- but never by e-mail.
For the long term, enterprises will need to agree on and deploy a universal, foolproof, easy way to authenticate legitimate e-mail. A trusted sender certificate that works with S/MIME, which is supported by most e-mail programs, could help to assure recipients that the e-mail they receive is legitimate and validated by an independent certificate authority.
But eventually phishers are likely to find a way to hack the S/MIME certificate mechanism, just as they've managed to spoof other security certificates and the once-sacred padlock icon. According to experts, the ultimate answer to phishing is a global authentication standard that verifies that an e-mail has indeed been sent from its stated domain. They recommend that this e-mail "caller ID" be combined with strong authentication tools that integrate with Web browsers and alert users when they land on a spoofed Web site.
Meanwhile, IT should monitor attempts to register domain names that resemble legitimate corporate URLs. A common phishing trick involves setting up domains such as "paypaI.com". (Look at that URL closely. Did you spot the spoof? If not, the lowercase L is actually an uppercase i.) Cyveillance is one company that will monitor attempts to register domain names that are too close for comfort.
If your company does become the target of a phishing scam in the United States, law enforcers urge you to contact your local FBI's IC3 unit immediately. Complaints to an upstream ISP to get the phishing site taken down will be futile if the ISP makes most of its money catering to spammers and scammers.
Putting an alert on the front page of your company's public-facing Web site and setting up an e-mail address for customers to report phishing attempts are other good ideas. Joining an industry group such as the Anti-Phishing Working Group or Digital PhishNet can be helpful, too. As always, your best security defence is reliable information, openly shared.
Citing the challenge to keep all systems usable and secure, Mark Menton, a network manager at a nationwide online retailer, highlights a prevailing strategy that phishing has forced on the enterprise: "We'll beef up our monitoring of customer account activity, which will probably mean upgrading software, and we're looking into stronger authentication that involves more than just a user name and password."
Enterrpises share phishing stories
Phishers beware: IT is watching you watching them. The FBI is out to get you jailed, too.
Enterprises are banding together in an alliance dubbed Digital PhishNet to share information with one another and with the FBI about phishing schemes and breaches - the second they happen. The alliance's formal announcement came last month.
Stirling McBride, a fraud investigator at Microsoft, advanced the effort early on. Microsoft's security team has long been trolling the Internet for anything phishy and forwarding that information to the FBI's Internet Crime Complaint Center (IC3), as have other heavy hitters, including America Online, EarthLink and Lycos.
PhishNet's primary anti-phishing tool will be a shared database into which members enter information such as IP address, scam site registrant, and site host. The National Cyber Forensics and Training Alliance will analyse the data and create criminal profiles, which they will forward to law enforcers.
"Coordinated information about phishing schemes will help us focus on the most serious offenders," says Dan Larkin, unit chief at the IC3. "Digital PhishNet facilitates critical data collection between a large number of the targets of these crimes and establishes a pipeline directly to law enforcement, in real time, before the phisher has had time to disappear."
Timing is crucial. "We have to move as quickly as the phishers do - and they move very quickly creating phony sites, collecting credit card and other personal information, and then dismantling the site within just a couple of days," Larkin says.
Founding members of Digital PhishNet include AOL, Digital River, EarthLink, Lycos, Microsoft, Network Solutions, VeriSign Inc., the FBI, the U.S. Federal Trade Commission, the U.S. Secret Service, and the U.S. Postal Inspection Service.
Enterprises are invited to join by registering at www.digitalphishnet.org.
Although Digital PhishNet won't put an end to phishing, hopefully it will do more than the sceptics expect. Phishing is an international problem, and law enforcers will have to contend with layers of bureaucracy and all the various laws governing online fraud.
Much will depend on whether companies opt to share information about scams openly, something many have been reluctant to do. Shortly after Digital PhishNet was announced, InfoWorld asked EarthLink what countries host the majority of phishing Web sites. EarthLink's PR company provided the response: "The company does not proactively discuss where the largest number of phisher sites are hosted."
Nonetheless, Digital PhishNet is out to prove that security by obscurity is rarely effective.
Phishing ploys reflect savvy technical skills
When going up against hackers and organised crime intent on fraud through phishing, strategy is everything. Here are popular schemes listed (loosely) in order of severity.
Social engineering : Manipulates basic emotions: trust, fear, greed, kindness. Almost every phishing attack has a social-engineering component .Recent ploys urge people to fill out a form to receive a job, prizes, or gift certificates. Just before Christmas, phishers sent e-mails warning that recent online orders might be delayed unless recipients clicked on the URL and provided log-in names as well as passwords .Countermeasure: Ongoing user education
Cross-site Scripting : Allows phishers to launch attacks directly from compromised Web sites or to spoof legitimate sites. Greyhats Security Group recently demonstrated a flaw in IE's DHTML Edit ActiveX control that allows phishers to spoof secure e-commerce sites. When users click on a URL within an e-mail, the correct URL of the malicious Web site briefly appears in their browser's address bar and is then replaced by whichever URL the phisher designates. Phishers can also make the SSL padlock icon appear at the bottom of the browser .Countermeasure: Proper filtering and validation of received Web site input and proper encoding or filtering of the output returned to the user.
Blended Attacks: Relies on cross-site scripting, but rather than spoofing a legitimate site, scammers send victims to an authentic site by way of an e-mailed URL that contains malicious code. When the target arrives on the site, code embedded in the URL produces a legitimate looking pop-up log-in box that redirects the victim to a page on the phisher's Web site or simply collects log-in information. Countermeasure: Same as that for cross-site scripting
Rewrite and Redirect: Exploits Windows Scripting and does not require users to click on a link embedded in an e-mail. Instead, a small bit of programming code runs as soon as the e-mail is opened. The code attempts to rewrite the host files of infected machines. If the attack is successful, when users attempt to access online banking sites they are instead automatically redirected to a fraudulent Web site, which then attempts to capture the victim's banking log-on name, password, and other personal information. Countermeasure: Disable Windows Scripting Host.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.