Voice-Based Phishing
				Voice-over-IP is emerging as another mechanism for phishing scams. Traditional phishing attacks contact potential victims via email--a cheap mechanism for attackers. Now, making phone calls using voice-over-IP (VoIP) is becoming very cheap, opening the door to voice-based phishing attacks. Voice-based phishing surfaced publicly last summer, as illustrated by discussion board messages from concerned recipients of such calls. Websense Security Labs documented one such attack on customers of Santa Barbara Bank & Trust last June, and sporadic reports since then indicate that such voice-based scams are active on the emerging threat landscape. VoIP phishing attacks often begin with a recorded voice prompting the victim for sensitive information, perhaps claiming that the call is originating from the person's bank. Alternatively, the victim might be asked to call a phone number; in this case, the call is answered by an automated voice system that mimics the bank's system and asks the caller for sensitive information. People tend to trust phone calls more than they trust email, which is why such voice-based phishing can be very effective. --LENNY ZELTSER

Targeted Email Attacks
In recent years, there has been a shift away from massive attacks, such as those caused by indiscriminant network worms or hooligan Web defacements. Targeted attacks are more profitable, because they are better at obtaining information, such as credit card account details and trade secrets, highly prized on the black market. They also offer a more efficient use of the attacker's resources.

Targeted attacks often take the form of spear phishing campaigns, which personalize the attacker's message to his audience. This increases the likelihood that recipients will be fooled into divulging confidential information. Although financial organizations have been deploying two-factor authentication in attempt to curtail this threat, the victims remain vulnerable to man-in-the-middle attacks.

A carefully orchestrated phishing campaign last summer targeted CitiBusiness customers even though they employed one-time password tokens. The attacker's Web site prompted victims for the temporary "password" generated by the token, and passed it to the genuine CitiBusiness Web site. This allowed the attacker to access the victim's account immediately after the person logged on to the fraudulent Web site.

While fooling victims into revealing sensitive data remains a popular tactic of phishing attacks, criminals are also using the social engineering power of email for other purposes. In one such attack reported last fall, staff at a five-star hotel received messages that tried to trick the employees into laundering money. The messages were disguised as notices submitted on behalf of the hotel's guests, included their names, and requested that money be paid to a third party after the hotel processed a credit card payment.

Another targeted email attack, reported by McAfee Avert Labs in February, involved email messages sent to two individuals at a specific company. The messages included a malicious Microsoft Word attachment, crafted to exploit a vulnerability that did not have a patch at the time. The company did not disclose what data if any was affected, but unfortunately, this was one of several public incidents in recent months where a zero-day exploit was delivered via email.

Email remains a popular attack vector because it is effective at bypassing network perimeter defenses such as firewalls. Organizations sometimes block dangerous email attachments from entering the network. As a result, attackers increasingly rely on phishing-style social engineering techniques or client-side exploits to download a malicious program via a connection that originates from the victim's computer.

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >