Phishing Comes of Age
2005 became the year that phishing shed its amateur hour image and became a widespread and increasingly sophisticated threat.
Guess what? I'm going to give you this check for $25,000 to pay for that used 4-way Xeon box sitting in the corner. The check is more than what it's worth. Just cash the check and send me the difference after you send me the box. Great deal, huh?
You should be shaking your head is disbelief right now. A friend recently faced this scenario. Hopeful that eBay had solved the phishing/scam problem, he was looking forward to auctioning off some gear. Unfortunately, he learned, no e-commerce site is immune.
The Anti-Phishing Working Group has released its 2005 Phishing survey results, and its a rather disheartening scene.
So what were the general results?
Not surprisingly the number of phishing reports have increased from 8,800 or so in December 2004 to over 15,200 in December of 2005. One would think that it would mean better awareness but when you realize that in that during that period the number of phishing sites shot up by over 400 percent (from 1707 to 7197).
Of course, the attacks center on our fixation with money. The brands used (or rather abused) have doubled in a year, but financial-based institutions remain the focus, representing nearly 90% of all the brands. One attack included the IRS as the brand proving that no one is exempt from being the bait.
Now, most people do mistakenly assume that nearly all attacks come primarily from foreign ports. The reality is that nearly 35 percent of all attacks originate in the US. This means that most victims should be able to prosecute the phisher for fraud.
The remaining top sources are the Republic of Korea, China, Germany, UK, Japan, Taiwan, Romania, France and Canada. To be fair, nearly 20% is split between Korea and China in this regards but it is still the US that reigns as the source of these attacks.
What comes to mind is why ISPs are letting this happen. Can you imagine if you owned a variety of properties that you rented out to companies and individuals, and never had it checked occasionally to ensure it wasnt used for illegal purposes even from a quick external glance? Would you not have the properties checked from time to time to ensure they are kept up to code and looked after?
I know that its not feasible all the time but there have been reports of repeated phishes from the same site. This shouldnt be happening. There has to be some accountability for repeated usage of sites for sources of phishing attacks.
And of course, enterprises dont have to worry about this. Their websites will never be compromised and used, and even if their employees did get phished, well thats the employees fault, right?
Nope. In fact, enterprises do need to be concerned. Regardless of your industry you may be a prime target for compromise. Once compromised, your website may unknowingly be used for a phishing scam. If you are a webmaster watch for hidden directories in the most unusual places. Perform recursive searches for those directories from the root of the web server.
And if the employees do get scammed, it could mean an even bigger issue for corporations today than a couple of years ago. A lot of the phishing scams are introducing Trojans and/or keyloggers at an alarming rate.
A look at December 2005 reveals well over double the number of Trojans/key loggers compared to December 2004 (180 compared to 77). This allows the attacker to gain access to the internal network regardless of the firewalls, IDSes, and other defenses you may have.
And remember, just because you have anti-virus installed doesnt mean that it will detect these beasties. Anti-virus will only detect patterns it knows. If its new, youll never know.
Also, be aware if employees claim to have been infected with spyware but were able to detect and delete it with a spyware removal tool. Ensure that the tool is a valid one. There are a few tools out there that are triggered to install a BOT or Trojan when they are run to detect spyware.
Additional forms of attack include the alteration of hosts files by some Trojans. This means that even if the user types the correct URL from scratch, the hosts file will redirect it to a phished site instead. The attacker can then just sit and wait. Again, the US is the primary country as to where these come from (25%) with Spain and Brazil consisting of another 25%. The remainder comes from China, Netherlands, Korea, Germany, Canada, Russia and France.
Something that is becoming apparent is that the phishing attacks are going beyond just the average user. They are going after staff to get access into a company, not just the clients that access it from the outside. This will become more costly and will require more restrictions on web surfing for employees, and could hinder research abilities for some industries.
So what is the best defense? Believe it or not, education.
No application. No magic pill. Just simple user education -- whether by the ISP to clients or by corporations to their employees -- on how to detect these kinds of attacks (how to read header information (AntiOnline has numerous threads on how to read email headers).
Also stress the importance of NOT using HTML-based email (text-only please), how to turn it off, and how to report any suspected incidents. Additionally, corporations and ISPs should be going after those committing these crimes. Its not the time in jail that will deter them. Take away their financial gain and it wont be a viable avenue for them to scam.
Still, you can still fool some of the people some of the time. Oddly enough as I was writing this, I received a phish attempt to verify my Visa over the web to some site in Brazil.
OK. Well, at least not all of the people.
This article was first published on EnterpriseITPlanet.com.