Phishers Becoming More Audacious In Approach

Phishers Becoming More Audacious In Approach
Financial institutions need to realize cyber criminals who target internet users with phishing attempts aren’t going away anytime soon, says information security expert Aaron Emigh. “They’re moving away from the purely deception based attacks (simple emails in your inbox with links that the phishers want you to click on saying they’re your bank) to more insidious, sophisticated crimeware attack vectors where users online identities are stolen, then transactions made with the compromised account information through several ways including DNS hijacking, and other methods.” Their target is still your customer’s money, account numbers, or credit card numbers, he explained.

> Read the latest research on phishing - Why Phishing Works

They’re also becoming more sophisticated in terms of combating the anti-phishing mechanisms that companies, internet service providers and users are putting up to stop them, Emigh said, “In conventional deception attacks, they’re using blacklist busting URLs, and it’s where it’s almost a game of ‘Whack-A-Mole’ to find and stop the phishing sites. Where blacklists and phishing toolbars are being integrated into browsers, the phishers are using unique subdomains for each group of emails to avoid being put on the blacklists,” he explained.

“We’re seeing more pharming attacks, and man-in-the-middle attacks which will render the two-factor authentication tokens significantly less effective,” Emigh said. Recently, research was released on wireless-based attacks, for example, where a wireless router with a default password, could be compromised and the password changed, and a malicious JavaScript code added to redirect the user to a different website other than their bank’s website. Using JavaScript only, this kind of attack can occur. That being said, there are even scarier attacks on the horizon, he said.

The number of phishing sites soared in 2006, and the number of U.S. consumers duped by phishing schemes has nearly doubled. In November 2006, the Anti-Phishing Working Group found 37,439 new sites, up 709 percent from the 4630 sites in November of 2005.

The need for more consumer education is coupled with the need for financial institutions to do the right thing in terms of practicing what they preach, Emigh said. “Financial institutions compound problems for users by their own poor practices, such as using clickable links within their emails to customers, or having links that send the user to domains where it is not clear that it is the bank’s domain, and also not using SSL on log in screen, or if they use it, not making it apparent to the user,” he said. Users learn by doing, he added. “FIs shouldn’t expect that their customers should understand the finer points of authentication, and just educating their customers won’t be enough to stop phishing.” Pharming is also on the rise, and is much tougher for even experienced internet users to detect.

“In the real world, you can pretty much tell if you’re standing in front of a bank, with all the gleaming marble and glass, and at the same time, in the real world, you can quickly tell if you’re dealing with a guy who is posing as a bank, but he’s working out of a cardboard box on a street corner. On the Internet, it’s not that easy to tell the difference, and the phisher can steal a bank’s logo and create a site that looks like the bank’s website,” he explained.

The online security indicators aren’t that good where online users can say “this is a cardboard cutout of my bank,” Emigh noted. Only differences are the obscure indicators, like the SSL lock icon, most users don’t know that these should appear in a certain place.

The security indicators in the real world have evolved over a long period of time, and users can make sophisticated trust decisions based on what they know. In the online world, they are lacking so far to help people decide what is safe and what is fake. These new methods of authentication for users, including mutual authentication methods need to evolve and improve quickly to help buoy the trust in online banking, because cybercrime is growing very fast, and can erode trust in online banking, especially among those customers who have already been stung by phishing, he said.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network