Something Phishy

August 2, 2007

To many people, credit card fraud is something that happens when a wallet is lost or stolen, identity theft occurs only in Sandra Bullock movies, and phishing is some kind of reference to a jam...

To many people, credit card fraud is something that happens when a wallet is lost or stolen, identity theft occurs only in Sandra Bullock movies, and phishing is some kind of reference to a jam band from Vermont. All of that may be true on some level, but these terms are also related to a phenomenon that’s becoming bigger and more dangerous every day—Internet crime. We’re all aware of the perils associated with spam, viruses, and other nuisances that creep into our crowded inboxes; unfortunately, when it comes to intrusive PC visitors, these scams are only the tip of the iceberg. The real enemies, the ones that threaten to divulge personal and financial information and severely degrade computer performance, include phishing, spyware, and keylogging. In this edition of Tech 101, we’ll explain these terms and discuss the scope of the problem, the damage that can be caused by such attacks, what PC owners can do to defend against attacks, what is being done on a higher level to quell this phenomenon, and how to determine if you or your company has been hijacked, with help from Dan Hubbard, Senior Director of security and technology research at Websense, Inc., Drew Carter, Pro-duct Manager at McAfee, and other resources.

What’s so Bad About Phishing Anyway?

It’s a word that certainly doesn’t sound very destructive but phishing is nothing to joke about. According to statistics gathered by the Gartner Group, “victims of phishing attacks are three times more likely to suffer some form of identity theft than the general population,” and in addition to posing threats to individuals, phishing can also lead to severe monetary losses for companies, tarnish brand images, and destroy the customer’s confidence in doing business over the internet.

So, What Exactly Is Phishing?

Representatives from VeriSign, an intelligent infrastructure services operator, describe phishing as “the latest con in a hacker’s bag of tricks,” a phenomenon that is “quickly gaining ground as an effective means for credit card fraud and identity theft. Using a social engineering tactic that preys on the trust a company has established with its customers, phishing attacks user e-mail messages to pose as a legitimate organization requesting sensitive information from its patrons.” Because the e-mails appear to originate from a credible source, recipients unwittingly divulge personal and financial information in their response, fooled by the fact that these counterfeit e-mails and websites “are often near perfect replicas of the original,” according to VeriSign sources.

Because the e-mails created by phishers are so authentic looking, phishers are able to generate responses from up to 5% of recipients, according to information presented in the Phishing Activity Trends Report, a publication produced monthly by the Anti-Phishing Working Group (APWG), “an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and e-mail spoofing.” In its November 2004 report, the APWG asserted that the number of active phishing sites reported that month was 1,518, indicating an average monthly growth rate of 28% since July. More than 50 brands were hijacked in November, with just six brands comprising 80% of reported hijackings. Perhaps the scariest statistic, however, is the 8,459 unique phishing e-mail messages that were reported in November, which was nearly four times the number of reports received in August and represented an average monthly growth rate of 34% since July.

What’s even more frightening than those figures is that only a small percentage of the population knows about this problem. “The general awareness, especially among consumers, is very low,” Dan Hubbard, Senior Director of security and technology research at Websense, Inc, said in an interview with MD Net Guide. “Even in high-level security officers, it’s still quite low.” Still, he continued, “it is evolving and becoming such a danger that it is gathering a lot of momentum quickly.” By launching what is referred to as a “blended threat,” an attacker can unleash a worm component, a key logger, a Trojan Horse, a phishing component, and more, all into one system, which can then work together to create one huge nightmare for the user(s).

I Spy With My Little Eye... a Bank Account!

According to Drew Carter, Product Manager at McAfee, once these components have worked their way into a computer, the hacker can keep a close eye on its use, using a program called keylogging, which monitors every keystroke a user makes on his or her computer, then “sends the record of those key-strokes back to the hacker,” said Carter. The hacker can sort through the user’s information to locate a user ID and password, and if the user happens to be logged into a bank account, the hacker can then log into the bank account and completely deplete it,” warned Carter. “Additionally, when an Internet browser hijacker is used, it often replaces your homepage, redirects Internet searches, etc, in order to... direct traffic to a particular website.”

It’s this scary reality that makes keylogging “the most dangerous threat” associated with phishing in Hubbard’s opinion. “There are also a lot of vulnerabilities which are being exploited. By simply going to a website you can be infected without even running anything,” he said. “You don’t have to be fooled by a fake site or anything like that. It just happens in the background without you ever knowing.”

But one burning question still exists: What can consumers and businesses do to alleviate and prevent these problems?

Going on the Defensive

Rarely can we justify squeezing a sports analogy into our esteemed publication, but when it comes to protecting personal and financial information from hackers and hijackers, the best defense is a good offense. The best way to do this, short of hiring Bill Belichick, is to get your hands on a quality anti-phishing, anti-spyware, or combination software program. Below, we’ve listed some of the top products on the market for this purpose:

Websense EnterpriseMcAfee Internet Security SuiteVeriSign Anti-Phishing SolutionPanda Platinum Internet Security 2005Norton Internet Security 2005

Programs like the ones listed above are extremely beneficial in offering individual PC owners and business-es the protection that is so necessary in today’s dangerous Internet environment. However, it isn’t enough to simply address security threats once they’ve already been detected. That’s precisely why industry groups like APWG have “responded by calling attention to new attacks and working to shut down Web sites used in the scams to harvest personal information from unsuspecting Internet users.” In a joint effort to nip this growing problem in the bud, “leading companies and law enforcement agencies unveiled a new antiphishing initiative. Digital PhishNet brings together companies such as Microsoft, America Online, and VeriSign with the US Federal Bureau of Investigation, US Secret Service, and US Postal Inspection Service to improve coordination when identifying and shutting down phishing sites,” according to an article published in PC World.

By getting as many organizations as possible involved, and by continuing to spread awareness among consumers and the business community of the dangers posed by Internet attacks that can turn a few clicks on the computer into a horrific ex-perience, the ever-expanding community of PC users can make terms like phishing and spyware obsolete.

In the meantime, make sure your PC or system is protected with a reliable software program.

MSN Money compiled a list of tips for PC owners on how to protect against phishing scams, how to recognize infected e-mails and websites, and what to do when you spot them.

How to Avoid Getting Hooked by a Phishing Scam:

• Be extremely suspicious of any e-mail with urgent requests for personal financial information.

• Don’t fill out forms in e-mail messages that ask for personal financial information.

• Don’t use the links in an e-mail to get to any website if you suspect the message might not be authentic. Phone the company or log onto the website directly by typing its Web address in your browser.

• Don’t give credit card numbers or account information unless you’re using a secure website or the telephone. Check the beginning of the Web address in your browser’s address bar. A secure site should show as “https://” rather than just http://.

• Be very cautious of e-mail attachments.

• Check your bank and credit card statements online on a regular basis. Make sure the transactions are legitimate.

• Use anti-virus software, and keep it up to date.

• Keep your computer’s operating system up to date, and download security patches.

• Consider installing a Web browser toolbar to help protect you from known phishing fraud websites.

• Report the attacks by forwarding the phishing e-mail to the following addresses: spam@uce.gov, reportphishing@antiphishing.org, and to the “abuse” e-mail address at the company that is being spoofed.

Source

Additional Resources

Anti-Phishing Working GroupClearCommerce Fraud Detection SolutionsCNET Virus CenterComputerWorld.com Security Knowledge CenterCyberSource Fraud ScreeningFederal Trade Commission ID Theft HomeInternet Fraud Complaint CenterMarkMonitor Anti-Phishing & Fraud ProtectionNameProtect Solutions: Identity Theft & Fraud PreventionSymantec Online Fraud ManagementVirusList.com