Defensive measures for evolving phishing tactics

There's more than one way to receive Threat Monitor Listen to this phishing tip on your computer or MP3 player

Rather than simply cloning credit cards and going on a shopping spree, the AT&T hackers decided to augment their stolen information lode to make it more suitable for full-scale identity theft. To achieve this, they decided to execute a follow-up attack using a new twist on a tried-and-true phishing tactic. They sent "phished" messages to the email addresses they stole, using the last four digits of recipients' real credit cards to establish credibility. The goal was to lure victims into clicking links to a fake AT&T Web site, where they would be asked to provide their dates of birth and social security numbers. Essentially the bad guys were using a little bit of the information they had stolen to get a lot more.

While some diligent customers (including at least one journalist) recognized the .org suffix on the bad guys' fake Web site and realized it was a con, it's worth wondering what the AT&T marketing and human factors people were thinking when they created the original sbcdslstore.com URL. What if the bad guys had registered close variations of the address, such as sbdslstore.com, sbcdsllstore.com, or anything else in this alphabet soup of names? Branding problems and URLs aside, it is quite clear that the days when we could tell users to spot phishing attacks by merely looking for mistyped words in their email are long gone.

More information Learn how to combat phone-phishing attacks. Discover how phishing emails are used to attack an organization's network and compromise customer data. Concerned about phishing threats? Ask Ed for help.

So, what can enterprises do to educate users and defend against this new type of phishing attack? You can start by instilling an inherent mistrust of email. Explain that messages are typically easy to spoof and are sent in clear text. Instruct them that should they receive an email requesting sensitive information, regardless of whether the message is suspicious or not, to follow up using methods independent of the email itself. Also, tell users not to click on email links received from credit card companies, banks or e-commerce sites that describe a problem with their accounts.

Instead, users should call the company using the phone number on their credit card, billing statement or a recent receipt. Never call a phone number included in an email, because phone-phishing threats are on the rise as well. If the user doesn't have a phone number to use, another option is to browse to the provider's site (again, not by using the link in the email, but instead by typing in a known legit URL into their browser). Then, login to the known, trusted site.

Next, consider deploying Web site-checking software, such as McAfee Inc.'s free SiteAdvisor (www.siteadvisor.com). This Internet Explorer and Firefox extension inspects Web sites in real time to determine if they are legitimate or fake. Then using McAfee's own research and analysis, SiteAdvisor gives the site a safety rating. It's important to note, however, that SiteAdvisor's results aren't perfect. I learned this when my own website, was deemed a potential menace simply because I have written articles on malware. Nonetheless it does give users a little more to go on than blind trust.

Also, deploy and vigorously update the antimalware and antispam software associated with your mail servers. Although they may have trouble with very targeted phishing attacks like that in the AT&T case, a huge number of widespread phishing attacks are stopped by such products.

Finally, given the newly raised stakes in the phishing game, user awareness programs and technical defenses against such attacks should be augmented.

About the author:
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions relating to information security threats.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Enterprise Data Protection,   Identity Theft and Data Security Breaches,   Threat Monitor,   Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Threat Monitor How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware When BIOS updates become malware attacks Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.