Phishing -- Can it happen at your institution?

Phishing -- It’s not a matter of if it will occur at your institution -- expect phishing to happen at your institution. Phishers are not dumb. They head toward where the money is – in the customer accounts at banks and credit unions.

So what does a typical attack look like? First, they swoop in, throw up an attack against the bank’s online site with a botnet to force it off line, (a Distributed Denial of Service attack is one method used) and then they send out the phishing lines to thousands of unsuspecting internet users, most of whom aren’t even customers at the bank. The average phishing web site is only up a matter of days, netting the phishers the money they then transfer out of bank accounts here at U.S. banks into overseas accounts. By the time law enforcement catches up to the overseas accounts, they’re long gone, with only a trail of IP addresses to follow.

Can it happen to your institution? And more importantly, what are you prepared to do if it does? Ask Alan Smith, he’ll tell you that he thought his bank was prepared, but found out to the contrary. Bank Information Security Officer Alan Smith (not his real name) was interviewed by Bank InfoSecurity.com on two recent phishing attacks that his bank on the West Coast suffered last year. “It was like watching a train wreck in slow motion,” Alan Smith said of the phishing attacks that occurred over a three month period. “There was very little we could do about how they attacked us,” he said. His bank’s website is hosted by an outside service, whose other customers were also thrown out of service over a five day period.

After the attacks, Smith was determined to find out if other banks faced the same threat. So he began calling other banks in his area. The other banks Smith talked to after the attack happened to his bank had “such an air of arrogance. They don’t believe it will happen to them.” Smith explained he now knows much differently. “If a fraudster is setting your bank up for a phishing attack there isn’t a whole lot you can do to prevent them from attacking you.” In the case of the attack against Smith’s bank, which has more than 10 branches, the phishers sent out mass emails after the bank’s website was taken offline by the DDOS.

Smith’s bank had been taking all the right action, they have a team of speakers who routinely speak to local groups on safe banking practices. The bank provides information about information security best practices in its quarterly information security awareness newsletter sent to customers. “We were doing everything we could to inform our customers about safe banking and information security awareness issues. The regulators were happy with what we were doing.” But as Smith lamented, “It was all pretty fruitless, because the phishers are attacking a business built on trust. It only takes 4 or 5 customers who receive a phishing email to respond to it, and there goes our trust and credibility out the window.”

While there were no losses due to the phishing attack reported, “We all know that some people don’t check their bank accounts every day, so had someone responded to the phishing email, they could have been wiped out.”

The bank experienced two separate phishing attacks over a three month period. The first was limited in the extent of effort on the attackers. The entire attack, including shutting down the website hosting the phishing site took only a few days to stop.

The second attack, which was described by one computer expert as being “one of the most vicious he’d seen,” Smith said, was much more focused and aggressive. The morning began with a distributed Denial of Service attack against the bank’s public website from 80-100 IP addresses. “This blocked our host site, and knocked them offline. The IP address attacks kept changing addresses and the administrator of our host site, suspecting a botnet, tried to reverse the attack by “mirroring” or pointing the attack back at the attacking IP addresses.

While this did not work to stop or even slow the attack because the IP addresses kept changing so quickly, the bank’s website host service managed to move the bank’s website to a new internet address and eventually shut down the fraudulent websites. Local law enforcement was called in and a report was made to the FBI. “The local police wanted to know what happened, and what steps we took to stop the attack. They didn’t give us much help in tracking down the perpetrators. They weren’t prepared to respond to this type of electronic crime.” The bank’s reputation in the community also took a hit when the story made the local television news. “I was interviewed, and although we told them that we had suffered no losses, and provided background for what steps we took to stop it, the headline was ‘local bank hit by phishing.’”

Smith has a staff of two, himself and one other security analyst dedicated to information security for the bank. The bank will soon offer two factor authentication for its online customers. One point that Smith was surprised at was the response he received during and after the phishing attack. “I must have received more than 100 emails during the last attack from local, national and international email addresses most of whom were helpful. Most said, ‘FYI –this looks like a phishing attempt.’”

DEFINITIONS:

Botnet: A botnet is a group of computers connected to the Internet that have been taken over by hackers (this is unknown to the computers’ owners.) These “zombie” computers are set up to forward transmissions including spam or computer viruses to other computers on the Internet.

Distributed Denial of Service (DDoS) A DDoS attack on the Internet occurs when a large number of compromised computer systems attack one target, and denies service to regular, legitimate users of the website. The DDoS attack floods incoming messages to the target system, and can forces it to shut down, thereby denying service to the system to legitimate users.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network