The Fight Against Online Fraudsters

For financial institutions stopping fraud and stemming phishing and crimeware from infecting their customer’s computers is a continuous battle. According to the Anti-Phishing Working Group’s most recent report, the number of unique phishing websites detected by APWG rose to 55,643 in April 2007, a massive jump of nearly 35,000 from March. The report also states that Financial Services continue to be the most targeted industry sector at 92.5% and the APWG report notes that several large US banks are among the most-attacked brands.

During a recent interview with Jens Hinrichsen, Product Marketing Manager in RSA’s Consumer Solutions Group, he shared some of the emerging trends RSA researchers are seeing in phishing and other online attacks. “The majority of online attacks happening against US targets are coming out of Eastern Europe, with an especially dense population of very savvy developers located in St. Petersburg. I’ll grant you that there are well known gangs in Nigeria and there are emerging gangs in Asia. At the end of the day, you must realize that fraudsters are everywhere,” Hinrichsen explained.

What worries Hinrichsen about the recent influx of phishing attacks (See related story: Online Attacks Increase at Financial Institutions) is not just the number of attacks, but where the attacks are taking place. “The fact that two dozen more institutions were attacked in May shows that the phishers are rotating the institutions they’re targeting.”

“These phishers will continue to rotate through the regional and smaller institutions. They are akin to sharks in the water. They go where the blood is, feed, and then they move on,” he noted. “If you look at the smaller, regional institutions these phishers are targeting, they are going after the most obvious exploits.”

When an institution realizes they’ve been attacked and takes steps to fix the exploit, “the phishers migrate elsewhere. It’s interesting when you see which institutions are being targeted,” he said. “Because phishing has been around for such a long time, to see that number of new institutions being targeted is very telling.”

He predicted that phishing will continue to be used to attack financial institutions. “It will be used against financial institutions that have less protection, and those lesser protected institutions will be hit by the simpler, easy-to-launch attacks,” he explained.

While the large financial institutions are still being hit by phishing, he noted, “Obviously the real concern is crimeware, which is that component of the overall malware space that targets two things. First, crimeware is being used to perform identity theft. It’s being in the same ways by fraudsters do in phishing attacks. But with crimeware, they’re doing it silently, without the user ever knowing that their identity has been taken. The second way is actual session hijacking of the user’s online session with their financial institution. While this is more rare, it’s growing, especially where one-time passwords is being used to authenticate users to their online accounts.”

The staggering sophistication and speed by which crimeware is growing is also worrying to Hinrichsen. “We’ve seen it in Brazil and Europe and in the last few months in the US, it’s begun to increase.” He pointed to a recent email sent to Australia’s online users announcing that the Australian Prime Minister had suffered a heart attack. “This didn’t require the user to click on an attachment. Simply by hitting the page, they became infected with crimeware,” he said.

Again, he pointed out that large institutions continue to be targeted with crimeware, “But I see it will move downward to the smaller institutions, at a much faster rate than phishing did,” he said. The crimeware being used to attack users can easily infect “tens of thousands of users, potentially before the latest anti-virus detects them,” Hinrichsen said, adding, “Signature based anti-virus protection is not enough to protect against this.”

Educating customers about phishing is recommended, and he suggested it can be done in a variety of ways, through the institution’s website, also by using interactive games and cartoons. “But unfortunately, no amount of education will protect the masses from crimeware infection,” Hinrichsen noted. He added to fight phishing and crimeware financial institutions are recommended to take a layered approach in setting up defenses on networks.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network