Hooked: Phishing is luring more and more of your customers

Phishing is no longer a nuisance crime. Sophisticated identity thieves are targeting customers of financial institutions and high-profile e-tailers in big numbers--and starting to get big results.

Unlike spammers, phishers' messages aren't aimed at selling male enhancement drugs, cut-rate mortgages or porn. Rather, phishers use common spamming techniques to generate vast numbers of e-mails that lure customers to spoofed Web sites and trick them into giving up passwords, credit card numbers and other personal information.

The problem has exploded since Earthlink issued its first warning a year ago. E-mail security provider Brightmail (recently acquired by Symantec) reported it detected 2.3 billion phishing messages in February alone. A study released by Gartner Research in May estimates that 76%of all known phishing attacks had occurred since last December. The Anti-Phishing Working Group (www.antiphishing.org), an industry association of more than 200 organizations, reported 1,125 unique phishing attacks in April, up from 402 in March and nearly seven times the number reported in January. Citibank was the overwhelming target of choice, with 475 attacks against it in April alone, followed by eBay, PayPal, US Bank and Barclays.

The startling growth of this threat has given the bad guys a head start. Fortunately, there are steps you can take to protect your organization, combining innovative technology and proactive policies and processes.

Phish Hooks
Phishers follow the money, so it's no surprise that organized crime, based largely in Asia and the former Soviet Bloc, appears to be behind the surge of attacks.

"Online usage of financial service has grown dramatically over the last two years," says Naftali Bennett, CEO of Cyota, a provider of antifraud and security products. "The universe and size of reward for the fraudster has increased dramatically." Security providers have been quick to respond, offering new techniques and repurposi

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

In January, Cyota launched Cyota FraudAction, a modular suite of services that combats phishing attacks. At the core of FraudAction is Cyota's antifraud command center, which detects potential phishing attacks by analyzing data pulled in by various probes, decoys and several of Cyota's partners.

Cyota's analysts create damage assessment reports based on parameters such as the number of hits, quality of the e-mail and type of information the attacker is trying to obtain. This gives Cyota's clients an early warning so they can shut down the phisher's site and alert their customers and provides forensics data to aid in possible prosecution.

In May, MarkMonitor, an Internet brand protection and corporate domain registration specialist, announced Fraud Protection, which uses distributed honeypots and sophisticated baiting techniques to draw in and identify potential attacks. The firm monitors chat rooms, newsgroups and domain registries, processing the data through its correlation engines to determine potential threats.

MarkMonitor gathers data to help customers shut down attackers. It also provides evidence should the customers decide to prosecute.

Cyveillance, an online risk monitoring and management services provider, gives early attack warnings through its Cyveillance Intelligence Center Technology, which monitors hundreds of thousands of junk e-mails daily and cases the Web for potential attack intelligence.

Brightmail offers e-mail security products and services, including Brightmail Anti-Fraud, which leverages Brightmail's Probe Network, consisting of more than 2 million decoy e-mail accounts and antispam technology to detect spoofing attempts characteristic of phishing attacks. If fraud is detected, Brightmail creates rules to block subsequent spoofed e-mails from reaching customer accounts.

Numerous other vendors--such as Tumbleweed Communications, CipherTrust and NetIntelligence--feature antispam and e-mail filtering products and services and are good sources of phishing intelligence.

Tumbleweed founded the Anti-Phishing Working Group last fall. Membership is open to financial institutions, online retailers, law enforcement organizations and vendors.

Fighting Back
Early warnings are good, but service providers have no control over how customers respond to spoofed e-mails. Since phishing attacks target customers at their homes and workplaces, it's critical to have a clear policy governing the solicitation of personal information. Many companies warn customers that they will never solicit authentication information through e-mail.

Make sure everyone in your organization is on the same policy page; imagine the damage if one of your divisions solicits personal information after your customers have been warned to watch out for it.

Consider these additional steps:

Growing Stakes
If you still don't think phishing is a problem, consider what's at risk:

The Gartner study estimates that 30 million Americans have received a phishing attack, and about 3% (1.78 million) submitted personal and/or financial information. This percentage is likely many times greater than the response to typical spam messages and more than enough to assure phishers a high return on a minimal investment. Other sources say the response rate is as high as 5 percent.

There isn't enough evidence to accurately estimate how much money phishers net, but Gartner estimates the direct cost to companies was $1.2 billion in 2003, and, given the dramatic increase in attacks this year, it's easy to foresee growing losses.

In addition to direct losses, add downtime in the face of concerted attacks, the cost of issuing new credentials to customers who have been compromised, the security spending and potential liability, and you have the potential for a serious problem.

And, it's hard to put a dollar value on trust.

"Losses are high," says Mark Shull, president and CEO of MarkMonitor, "but the growing concern is having consumers reluctant to do business online."

About the author
Nalneesh Gaur, CISSP, is a manager with Accenture's Security Specialty practice.

This article orginally appeared in Information Security magazine

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Web Security Advisor,   Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor DNS rebinding defenses still necessary, thanks to Web 2.0 New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits Email and Messaging Threats (spam, phishing, instant messaging) Unified communications: Securing a converged infrastructure Chained Exploits: How to prevent phishing attacks from corporate spies 3FN.net ISP shutdown interrupts spam campaigns Swine flu outbreak results in spam pandemic What does 'invoked by uid 78' mean? Economy fuels malware, spam Internet Explorer 8 includes a bevy of security features Adobe JBIG2 exploits being spammed, IBM warns Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS Email and Messaging Threats (spam, phishing, instant messaging) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CAPTCHA  (SearchSecurity.com) challenge-response system  (SearchSecurity.com) crimeware  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Register of Known Spam Operations  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Sender Policy Framework  (SearchSecurity.com) spam cocktail  (SearchSecurity.com) spear phishing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.