InfoEdge Logo
Offering Select IT And Business Management Research
research@infoedge.com
800.544.7337 | 617.969.9080
Home Page About Us Contact | Questions Shopping Cart
Recent Reports Information Centers Free Research IT Business News and Articles CIO Strategy Center Browse Categories
Related Reports
Security Audit Program
The audit program is one that either an external auditor or an internal auditor can use to validate the compliance of the Information Technology organization and the enterprise to ISO 17799, Sarbanes-Oxley, HIPAA, and PCI-DSS.
IT Spending, Staffing and Technology Trends
The study tracks spending in ten industry and government sectors and provides objective and comprehensive data designed to assist IT and business executives in the financial and strategic management of information technology.
Options in Enterprise Backup
This report reviews the intricacies of backup practices and procedures, including security, business continuity, archiving and compliance.
The State of the Mainframe
Mainframe MIPS growth is averaging around 20% per year. This new report looks at the current state of this "legacy" system.
IP Telephony Solutions: Product Comparison Report
This report includes an overview of the enterprise IPT market, a comparison of nine leading IPT solutions, and a summary of the relative strengths and weaknesses of each product.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Spam and Viruses

The Evolution of Online Fraud

By Thomas Schmidt

For financial services companies, the second half of 2004 was something of a perfect storm of Internet threat activity with an increase in "severe" events, rapid growth in "phishing" attempts, and additional threats to confidential information.

As if such developments aren't disturbing enough, they come at a time when the profile of the typical online fraud perpetrator is evolving. Indeed, a recent article in the newsweekly eWEEK describes a burgeoning phishing underworld:

"The ratio of risk to reward has drawn the attention of several organized crime groups in Brazil and in Eastern Europe, where the Russian mafia and its offshoots have assembled crews of crackers, fences, and code writers who handle everything from creating and sending fraudulent emails to converting ill-gotten goods into hard currency."

The eWEEK article goes on to detail the exploits of a Brazilian phishing gang that used a sophisticated scheme in which thousands of messages were sent to bank customers whose addresses were culled from a list stolen by a bank employee.

As the American Bankers Association noted in a report last year, phishing is but one element in a criminal enterprise that can lead to identity theft and fraud involving checking accounts, credit cards, even home mortgages. For financial institutions, the challenge is to combat new and constantly morphing forms of electronic identity theft.

This article will look at how phishing attacks in particular are evolving, and how phishers are modifying their tactics to trick users into divulging their confidential information. It will also discuss ways that users and financial services companies can protect themselves against these threats.

Attacks continue to evolve

Call it the new face of online fraud. Once motivated by the thrill of shutting down high-profile Web sites, Internet hackers are increasingly joining forces with organized crime groups as they seek to profit from hacking into databases and stealing personal data by a variety of tactics, such as phishing.

Speaking at the RSA Security Conference earlier this year, Ralph Basham, the director of the U.S. Secret Service, told Reuters how several law enforcement agencies in the U.S. and overseas disrupted an organized online crime ring that spanned eight U.S. states and six countries.

Given this new breed of perpetrator, it's not surprising that phishing attacks themselves are becoming more complex. In its most recent Phishing Activity Trends Report, the Anti-Phishing Work Group observed that malicious code in the form of Trojan Horses and keyloggers is increasingly common in phishing attacks, and that several new attack techniques are emerging:

  • Pharming This is an attack that intercepts information between two parties in order to redirect users to a fraudulent location. The most popular form of pharming is DNS cache poisoning, in which the numeric address of a Web site is replaced with the address of a malicious site.
  • "Man-in-the-middle" attacks These attacks use some knowledge about the way a given legitimate site processes logins. With this knowledge, a scammer can build a site that acts as a front end for the legitimate login site -- and would, for example, return an error message if incorrect login data were submitted.
  • Redirects This is malicious code designed to redirect end users' network traffic to a location where it wasn't intended to go to. Such code can change DNS-specific information, redirect information to fraudulent sites, or install a network-level driver or filter to redirect to fraudulent locations.

Phishing has evolved from simple attempts to obtain small items of information like gaming passwords to all-out identity theft. And it is being conducted through email, spyware, and blended threats.

Browser vulnerabilities, for example, are often exploited so that a legitimate URL appears in the browser window when in fact the user is accessing a malicious Web site. The Web site may also be manipulated to make the lock icon appear in the lower right-hand side of the browser window, misleading the user into believing that the site is secure when it is not. These Web sites often look exactly like the real ones, thereby tricking users into thinking that they are providing their confidential information to the legitimate site.

Other tactics that phishers are now using include: schemes that ask users to submit information via fax and phone; Java script that uses legitimate Web sites to install pop-up windows, which are intended to trick users into submitting personal information; and injecting legitimate Web sites with malicious code that will load spyware onto an end user's system. Vulnerabilities in legitimate Web sites also allow phishers to serve spoofed phishing Web pages through the legitimate Web site or server.

And it's not just users of big banks and mainstream consumer sites who are being targeted. Security researchers note that, increasingly, phishers are also going after customers of smaller banks and credit unions, a practice referred to as "puddle phishing."

The need for vigilance

As the Financial Services Technology Consortium and the Anti-Fraud Alliance have observed, customer education is one of the most effective ways for financial institutions to reduce the effectiveness of various phishing exploits. For its part, the Federal Trade Commission has issued a Consumer Alert containing the following recommendations:

  • If you get an email or pop-up message that asks for personal or financial information, do not reply. And don't click on the link in the message, either. Keep all preview panes closed.
  • Use anti-virus software and a firewall, and keep them up to date.
  • Don't email personal or financial information.
  • Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.
  • Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
  • Forward spam that is phishing for information to the UCE Goverment Web site and to the company, bank, or organization impersonated in the phishing email.
  • If you believe you've been scammed, file your complaint at the FTC Web site, and then visit the FTC's Identity Theft Web site.

Fighting back

While there is no denying that phishing attacks continue to take a serious toll, the news is not all bad. As the APWG observed recently, law enforcement efforts are beginning to be effective, and a number of phishers have been investigated and arrested. Nevertheless, much work needs to be done. In particular, according to the APWG, "email authentication is going to be an important tool in reducing phishing and other types of email-based fraud." The APWG recommends that financial institutions work proactively to publish email authentication records and participate in trials and discussions regarding email signing standards.

Financial services companies can protect themselves primarily through the detection and filtering of email at the server level via the MTA (mail transfer agent). Although this level of filtering will likely remain one of the primary points at which filtering is performed for phishing, other attempts will be filtered utilizing upstream IP-based filtering, as well as providing filtering for HTTP. DNS block lists (DNSBLs) offer more general protection and may mitigate some of the risk of phishing emails; however, they frequently run the risk of false positives. Sender policy frameworks (SPFs), domain keys, and other similar solutions will not provide useful protection. Phishers can easily purchase domains that contain names similar to the targeted company and configure them to SPF and other standards to allow for their messages to be processed as SPF valid email.

General corporate best practices should also be followed, including Web log monitoring to make sure that complete Web site downloads are not occurring. Financial services companies may also want to monitor "cousin" domain purchasing by other entities. Tracking the registration of new cousin domains allows companies to identify purchases that could be used to spoof their corporate domain. Companies should ensure that their end users are educated about phishing in general, and are advised about the latest phishing scams.

Conclusion

Financial services companies that depend on the Internet to serve their customers can feel helpless in the face of today's phishing threats, which hijack their good names to steal from their customers. If phishing antidotes are not implemented, consumer trust is likely to erode and e-commerce growth will slow. An effective fraud management solution can reduce the risk of email fraud, which in turn will help restore consumer confidence.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

 

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"Phishing is but one element in a criminal enterprise that can lead to identity theft and fraud involving checking accounts, credit cards, even home mortgages."

--American Bankers Association
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.
Geography Specific | Advanced Technologies | Industry Verticals | Executive Management | Information Technology | Human Resources | Telecommunications | Sales And Marketing | Finance | Hardware | Software | Web | Outsourcing | Top IT Priorities
home   |     site map   |     about us   |     privacy statement   |     research providers   |     contact us   |     categories

Entire contents ©2008 InfoEdge. All Rights Reserved.
Email: research@infoedge.com