Phishing Report: Top Threats & Trends in 2008 and Beyond
Interview with David Jevans, Director, Anti-Phishing Working Group Phishing, vishing, whaling - there are a growing number of electronic social engineering threats to unsuspecting consumers and their identities. Financial institutions and their customers increasingly are targets of these attacks. But they're also fighting back.Listen to this interview to hear:
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is phishing. I'm talking with David Jevans, Chairman of the Anti-Phishing Working Group. David thanks so much for joining me today.
DAVID JEVANS: Tom, it's a pleasure to be with you.
FIELD: Dave, just to sort of set some context for people, could you explain a little bit about the Anti-Phishing Working Group and what it is that you do?
JEVANS: Sure. The Anti-Phishing Working Group, or as we often call it the APWG, is a non-profit organization dedicated to eliminating identity theft and spoofing on the internet. We were started in the fall of 2003, just as the phishing problems began to emerge. We primarily saw it in Australia and then the U.K., and then we started seeing it in the U.S. just at the end of 2003. And we now have 2,000 member companies and government organizations from all across the world representing financial service institutions, payments processors, major e-commerce websites, ISP's, security companies and law enforcement agencies.
There is a couple of times a year where we have technical tracks around phishing and anti-phishing measures, we have law enforcement tracks where we talk about where are the bad guys, what are the new techniques, how do we go and find them, and we have public policy tracks often where we'll have the FDIC or FFIEC in or various folks from Treasury to come and talk about regulations and that kind of thing. And we run a number of different technical services as well for the security companies that are out there combating the phishing problem.
FIELD: So, Dave, you are coming up on the fifth anniversary of the group. What are some of the major phishing trends that you are seeing so far this year?
JEVANS: Well, 2008 is turning out to be kind of an interesting year. What we've seen is that mass market phishing, you know where the send out emails to a billion people. It tends to be holding steady; the targets are changing a little bit. We are definitely seeing more attacks against smaller financial institutions like credit unions. We are seeing larger institutions being attacked, both here and in Europe primarily, and a little bit in Australia.
We are seeing non-traditional targets being the focus of phishing attacks as well, and those are primarily social networking sites where the goal may be to get passwords that could be reused on other sites or to drive advertising traffic by hijacking people's accounts.
We've seen some interesting phishing attacks against advertising services, online ad services, and the point there is the phishers take over those accounts and then the advertisements that might run on 10,000 legitimate sites it will point them to sites that distribute malware and crimeware, which then indirectly will go out and collect passwords and authentication data to all.
We've also seen an increase in what we call spear phishing, and this is a very insidious type of fraud that is very difficult to come up with any kind of statistics because it is so targeted. So the phishers will decide, for example, that they would like access into the accounts of very wealthy individuals or perhaps into business banking accounts that might have the ability to do transfer online of larger amounts, and so they will actually learn something about the company that they are targeting and trying to get into. They might find out the name of the CEO or the CFO or some of the security guys, and they will actually send targeted emails into those target companies with the person's name potentially with other personally identifiable information in an attempt to get that person to give up their password or to install malware, which will allow them later access into their banking or other kinds of accounts.
FIELD: Scary stuff.
JEVANS: Yeah. And it is a difficult one because it is hard to educate, and it is very hard to detect.
FIELD: Now Dave, at the recent RSA conference I went to a phishing session that was run by the security head at PayPal, and he said when he initially went to PayPal he went in to talk with his bosses and said 'What about the phishing problem?' and the response he got was 'Technically we don't have a phishing problem,' because at PayPal it sort of fell below the threshold of what they felt as pain. And this makes me wonder, do the financial institutions realize they have a phishing problem or like with PayPal, at least the way the attitude was, does it fall below the threshold of what they consider pain?
JEVANS: Well, Tom, I think there are a couple of ways to look at the threshold. One is financial losses, and in a very big picture I think that, you know, financial institutions have their hands full of potentially other larger areas of concern such as mortgage defaults and things of that nature. So if you look at pure financial losses, it is certainly not in the top one, two or three in a major financial institution. I mean, we are seeing institutions writing down billions these days so, you know, $10, $20, $50 million dollars in phishing at that institution obviously is below the radar.
But if you take a look at brand reputation, if you take a look at consumer trust in the financial institution and in banking online, that is where it is very difficult to compute what the losses are. And so we find a lot of financial institutions are very much concerned about the problem, as much from a confidence perspective and brand protection of their reputation, as they are from a financial losses perspective.
These institutions are definitely aware of the phishing problem. I will say that a few years ago, maybe 2004, even 2005, sometimes they would deny that there was any problem. But in the 2006, 2007 timeframe as some solutions, technology and process, started to become available we did see banks start implementing those solutions and then being able to educate their customers about the problem.
FIELD: That makes sense. Now we hear an awful lot these days about vishing? Can you describe that? Give us a sense of how effective that's becoming with financial institutions and their customers.
JEVANS: Sure. So vishing is voice phishing. It is basically a multi-channel attack, which may use email to lure somebody to give up a phone number for example at a customer service site. Or it may be a direct outbound call to a customer and it is basically a computer system typically pretending to be the financial institution with their voice tree. So it's not an email thing purely; it's actually simulating the IVR of a financial institution. So let me give you an example.
We send you an email saying please call this phone number, it's customer support, we have a problem with your credit card. Now if I put a phone number in there and I don't put a URL to a phishing site, the chances of that email being delivered through the spam filters are much higher. It doesn't look like spam. It doesn't look like phishing. So that is one reason.
So you will call this number and instead of actually calling the bank you typically tend to be calling an voice over IP line (VoIP), which is hosted on some internet site where they may have cloned the banks phone tree or they've recorded their own that sounds like the bank, and they will ask you for example to type in your credit card number and your expiration date. And to confirm it's you please enter your Social Security number or the last four digits of your Social Security number, or enter your CVV number and from this they've basically gotten your personal information that they can use directly to use that card online or that they could use online to log into the banking system on your behalf.
So they are very effective attacks. I would say the good news is that they are not high in number. We don't see a large number of vishing attacks, but the ones that we do see tend to be effective.
FIELD: Now with phishing and vishing, what kind of solutions are you seeing that are proving to be effective from the financial institutions?
JEVANS: Well, I hate to say it but there is not silver bullet solution to the problem, and after looking at this space for five years with some of the smartest people on the planet I can say that I don't believe there is a 100% solution on the horizon. What there are, though, is a collection of techniques that when you combine them can make a dramatic impact on the phishing problem and a couple of them revolve around authentication.
So, the first one is email authentication. And there are a couple of different ways to do this. There is something called sender ID, which Microsoft is a big proponent of. And there is something called Dcam, which involves digitally signing email and that is something that Cisco and Yahoo are very big proponents of. We recommend that companies actually implement both of those and what this allows you to do then is to state a policy that all you email that you send comes form a specific set of servers and so major ISP's that are participating can actually not only take your email and know it is good, but they can reject email that appears to come from phishers and they know that is bad. This can really reduce the delivery of phishing emails out to your customer base.
The next technology that we see that financial institutions have implemented with great effectiveness is user authentication. So this is for example the use of cookies, of image based passwords in addition to user passwords or in some cases the issuance of hard tokens to factor authentication token to business customers so that you have a much higher confidence that the user that is logging into that account really is the user and is not a phisher trying to monetize the credentials.
Another area that is not quite so obvious, but that we find very effective, is user education. Being able to educate users that, for example, you will never send them an email with a clickable link or asking for their password. Believe it or not, educating your own marketing department not to send emails that look like phishing is also good because if you send emails that look like phishing emails and a phisher gets one of those, he is going to use that exact same email as a template for his next phishing attacks and your users are busy clicking on those emails and they will click on that email and fall for the attack. So internal education also seems to work quite well.
And I will leave you with a final one that has proven to be very helpful against phishing at places like PayPal, and that is working with law enforcement to actually try to put these people in jail. We find most companies out there actually are just happy if the phishing site goes away, and they don't have a lot of resources to actually do investigations and go after the bad guys, but the companies that come under a lot of attack and actually put the effort out to go and find the bad guys and get them in jail, they actually see their phishing attacks drop dramatically over a period of time. Because the bad guys realize that, hey, this is a very hard target and there are ramifications for us hacking them, so let's go somewhere else.
FIELD: Dave, I want to bring you back to a topic you mentioned just a couple of minutes ago, which was education. When it comes to phishing, so much seems to be the customers' burden because it is happening outside the institution where they are being called or emailed at home. How do institutions reach these prospective victims and effectively educate them about the risks?
JEVANS: Well, that is a very difficult one, Tom. The first reaction people have is, "Oh, we'll send an email to all of our customers to educate them about phishing." And as you can imagine, you would have to be very, very careful about that because that is the exact type of thing that the phishers do to try to trick your customers to coming to their website. So, we have found multi-channel education to be fairly effective, which is printing things on the monthly statements. Having warnings on your website or educational seminars on you website at the login screen, where you can basically educate users about events, authentications, about what kinds of emails you will send or not send, that type of thing works very well.
We've seen a few people do some education in the branch, as well, where they will have a little brochure that is available that talks about phishing. We find that if you pretend the problem doesn't exist, your users are going to get the mail anyway and it is going to cause a crisis of confidence. If you admit the problem exists because pretty much by now most users are aware of it, they really like to know what the bank is doing and that it is taking steps.
I'll give you another example. Wachovia has been doing billboard advertisements about fraud prevention and fraud protection and advertising where you can go to their website and learn more about how you can protect your identity.
FIELD: I'm going to ask you to sort of look into the crystal ball a bit David, given what you've seen so far this year, what do you think we will be discussing early in 2009 relative to phishing?
JEVANS: Well, that's a tough one. The bad guys are always innovating. I think that in 2009 we will be talking about, "Gee, why do we still have all of this phishing " and we thought it was going to go away because I think it is going to be at similar levels if not worse. But I think that probably the thing that will start occupying more and more conversation is the topic of malware and crimeware, which is malicious code that is distributed oftentimes through emails that basically are phishing type emails but they are trying to get you to install software or to visit a website that has an exploit that installs software on you r computer to sniff your passwords or to run other kinds of malicious code. And today I think people are aware of it.
I don't think people are aware as much that potentially anti-virus technology does not protect you as well as you might think, and I think the financial services industry is going to be talking about "Now what do we do if our customer is infected?" Whose responsibility is it? Do we cut them off the internet and say 'You can't come to our banking site unless you clean this malware off your computer?' You know, how do we educate them then, and how does this person even know what malware or crimeware is, and I think it is going to be the industry to beat over the coming years.
FIELD: So, it is safe to say that the APWG is not going to become obsolete anytime soon.
JEVANS: Well, I wish it would, but unfortunately I don't believe so. When we started the organization in 2003, I honestly believed that by 2004 the problem would be solved. I thought the email industry would come together and put authentication in email and we would be done. And what I realize is I didn't understand, one, how much money was available for the bad guys, which motivates them. I didn't understand how innovative it would get once hundreds or thousands of bad guys get involved and they are all very smart.
I think also you have to start realizing how big the internet actually is, and there are millions of email servers and tens of millions of web serves and billions of computers, and they are all points for vulnerability and we don't control our customers desktops, so I think we are going to be living with the social engineering problems and the malware problems in this space for a long time.
FIELD: Well, Dave I appreciate your time and your insights today. Thanks so much for joining me.
JEVANS: You are most welcome, Tom.
FIELD: We've been talking with David Jevans, Chairman of the Anti-Phishing Working Group. For Information Security Media Group, I'm Tom Field. Thank you very much.