Defensive measures for evolving phishing tactics

There's more than one way to receive Threat Monitor Listen to this phishing tip on your computer or MP3 player

Rather than simply cloning credit cards and going on a shopping spree, the AT&T hackers decided to augment their stolen information lode to make it more suitable for full-scale identity theft. To achieve this, they decided to execute a follow-up attack using a new twist on a tried-and-true phishing tactic. They sent "phished" messages to the email addresses they stole, using the last four digits of recipients' real credit cards to establish credibility. The goal was to lure victims into clicking links to a fake AT&T Web site, where they would be asked to provide their dates of birth and social security numbers. Essentially the bad guys were using a little bit of the information they had stolen to get a lot more.

While some diligent customers (including at least one journalist) recognized the .org suffix on the bad guys' fake Web site and realized it was a con, it's worth wondering what the AT&T marketing and human factors people were thinking when they created the original sbcdslstore.com URL. What if the bad guys had registered close variations of the address, such as sbdslstore.com, sbcdsllstore.com, or anything else in this alphabet soup of names? Branding problems and URLs aside, it is quite clear that the days when we could tell users to spot phishing attacks by merely looking for mistyped words in their email are long gone.

More information Learn how to combat phone-phishing attacks. Discover how phishing emails are used to attack an organization's network and compromise customer data. Concerned about phishing threats? Ask Ed for help.

So, what can enterprises do to educate users and defend against this new type of phishing attack? You can start by instilling an inherent mistrust of email. Explain that messages are typically easy to spoof and are sent in clear text. Instruct them that should they receive an email requesting sensitive information, regardless of whether the message is suspicious or not, to follow up using methods independent of the email itself. Also, tell users not to click on email links received from credit card companies, banks or e-commerce sites that describe a problem with their accounts.

Instead, users should call the company using the phone number on their credit card, billing statement or a recent receipt. Never call a phone number included in an email, because phone-phishing threats are on the rise as well. If the user doesn't have a phone number to use, another option is to browse to the provider's site (again, not by using the link in the email, but instead by typing in a known legit URL into their browser). Then, login to the known, trusted site.

Next, consider deploying Web site-checking software, such as McAfee Inc.'s free SiteAdvisor (www.siteadvisor.com). This Internet Explorer and Firefox extension inspects Web sites in real time to determine if they are legitimate or fake. Then using McAfee's own research and analysis, SiteAdvisor gives the site a safety rating. It's important to note, however, that SiteAdvisor's results aren't perfect. I learned this when my own website, was deemed a potential menace simply because I have written articles on malware. Nonetheless it does give users a little more to go on than blind trust.

Also, deploy and vigorously update the antimalware and antispam software associated with your mail servers. Although they may have trouble with very targeted phishing attacks like that in the AT&T case, a huge number of widespread phishing attacks are stopped by such products.

Finally, given the newly raised stakes in the phishing game, user awareness programs and technical defenses against such attacks should be augmented.

About the author:
Ed Skoudis is a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions relating to information security threats.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Phishing Product Review: Sophos Endpoint Security and Control 8.0 EV SSL certificates won't stop phishers, researchers say Apple iPhone mail, Safari prone to spoofing ING hopes to cut phishing attacks with encryption software Companies still monitoring email manually, survey finds Trojan downloaders, droppers skyrocket, Microsoft says New phishing, Zeus Trojan technique spreads crimeware New Storm attack exploits April Fool's Day Clinton, Obama campaigns used in spam blasts How secure is online banking today? Phishing Research Identity Theft and Data Security Breaches Verizon breach study identifies industry specific threats Forever 21 security breach compromises nearly 99,000 payment cards PCI is about eliminating data, not securing it, former QSA says. Web security threats gaining attention at many companies Data breach discovery, disclosure outpaces 2007 Quiz: Data loss prevention TJX hacking ring charged in federal indictment Security data lapses hamper researchers Data breaches caused by employee errors, process failures Data breach laws have no effect on prevention, researchers say Threat Monitor Windows registry forensics: Investigating system-wide settings Weaponizing Kaminsky's DNS discovery Debian: A niche OS with a not-so-niche security flaw Web advertising exploits: Protecting Web browsers and servers Ransomware: How to deal with advanced encryption algorithms Hidden endpoints: Mitigating the threat of non-traditional network devices Protecting exposed servers from Google hacks (and Google 'dorks') Countermeasures against targeted attacks in the enterprise Windows registry forensics guide: Investigating hacker activities More built-in Windows commands for system analysis RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary crimeware  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) spear phishing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.