Phishing is a form of identity theft, plain and simple. Attackers spoof legitimate Web sites, such as those belonging to financial institutions, to steal personally identifying information from customers. But why should IT and security managers carry some of the responsibility for protecting customers? Phishing puts the end user at risk of identity theft, but what risk is there to the organization being spoofed? Plenty, as we will...
In a typical phishing attack, the attacker puts up a Web site that looks nearly identical to the victim's Web site. The fake Web site usually obfuscates (encodes) the embedded Web links (such as http://%77%77%77%2E%6E%65%74%34%6E%7A%69%78%2E%63%6F%6D/ ) or the attacker will append a redirection command at the end of a real URL (such as http://[victimwebsite]/bin/auth/logon.asp?url=http://%77%77%77%2E%6E%65%74%34%6E%7A%69%78%2E%63%6F%6D/). When a user logs onto the fake Web site, their login credentials and/or personal information (address, social security number, credit card number, etc.) are put into the attacker's database.
We can draw some general conclusions on the business risks of phishing attacks based on this year's rash of privacy breaches. Phishing attacks result in personal data loss and come with the same business risks as losing backup tapes or a credit card database compromise. Certainly one of the most visible risks is bad publicity, leading to both long and short term loss of corporate reputation. In the MasterCard case, the loss of reputation may even lead to a permanent closure of business for the credit card processor involved. ChoicePoint, the often maligned beginning of this rash of private data loss, still struggles to regain customer confidence and share value nearly a year after their saga began. The sad part is that in most of this year's cases, the company named (Time Warner, ChoicePoint, MasterCard) had little control over the actual loss of data. It was usually a tape/document storage vendor, shipping company or customer. However, the headlines still point the finger at the larger and better known name.
Phishing attacks bring with them other risks and costs as well, including the direct IT costs to locate the source of data loss. The attacks can be conducted through a rogue Web site that looks like yours or a pharming attack that is plucking information directly from a compromised system. Identifying the source can be even more difficult if the source of the attack is a botnet, compromised systems running small pieces of code (bots) that are controlled by a third party -- the phishers themselves. Fighting this brushfire reduces the ability of both the IT and business teams to conduct normal work, thus draining productivity. Lastly, in all of these situations, there is the risk of breaching both regulatory and legal requirements, such as the Sarbanes-Oxley Act, Japan's new Data Privacy law as well as the EU Data Privacy law, and finally, state breach notification laws that exist in 17 U.S. states.
Due to the enormous publicity around phishing, companies are attempting to mitigate the problem through a variety of methods. Data encryption has once again become a popular topic. Phishing risks can be minimized by using an HTTPS (secure) Web page linked with an encrypted database. An attacker could attempt to mimic this type of page but it would be infinitely easier to detect. If the attacker tried to use a real URL with a false backend, he would need to hack into the HTTPS portion of the Web server to gain the required privileges to present the HTTPS page. This translates into more tracks left behind and an easier trace for an investigator.
Data encryption seems to be a no-brainer, but it has its share of risks. How easy is it to recover encrypted customer data, should the system go down? Will a simple tape restore actually bring a system back to full functionality or is the encryption key lost with the data? How long does it take to encrypt the data in the first place, and what load does it place on the equipment? I am a huge fan of encryption but I tend to look at solutions such as Digital Rights Management that encrypt at the data creation and are controlled by a central policy server that holds the encryption keys for easy recovery.
Other companies such as ChoicePoint have made significant improvements to their business processes regarding how a new customer gains access to the database. While yet other firms are shifting their e-commerce sites to third party vendors and away from their core data. This not only places another layer between the phishers and your data but it shifts the risk towards the vendor as well. Many companies are putting messages prominently on their Web site telling customers what information they request, on what frequency and in what form. This helps to create a more informed consumer and fewer calls to your support center. Lastly, a very few of these companies are teaching their customers how to verify whether a questionable e-mail is legitimate. They offer information for deciphering a suspect URL in the e-mail and where to go for additional information.
Given the risks and prevalence of phishing, it behooves organizations to protect themselves and their customers. As long as there is valuable customer or individually identifying information available, your company could be next.
About the author
Tom Bowers, CISSP, PMP, CEH, is a technical editor for Information Security and a manager of security operations at a pharmaceutical company.