Top Ten Phishing Facts
Learn how to improve security by arming users with knowledge--and your network with tools--to diminish the impact of phishing scams.
Every e-mail user has experienced phishing first-hand. Phishing refers to fraudulent communications that use social engineering and technical subterfuge to bait victims into disclosing personal identities and credentials. Phishing is big business: Criminals reel in billions from fraudulent financial transactions, executed with phished data.
With so much at stake, can you recognize a phish when you see one? More importantly, do you know how to avoid taking the bait? To refresh your memory, let's consider a few phishing stats or, pardon the pun, "phacts."
10) Phishers want to lure victims to fraudulent Websites, created to steal personal information, such as names, credit card and bank account numbers, social security numbers, and financial account logins and passwords. Bait can be delivered via SMS or phone, but usually arrives via e-mail, from mass-mailed spam or the more targeted "spear phishing." The good news: A study by Trusteer estimates that mail-server spam and phishing filters stop 63 percent of phishing e-mails from even reaching in-boxes.
9) Phishing messages hijack hundreds of brands per quarter, but most spoof just a few brands. According to McAfee, 95 percent of phishing e-mails pretend to be from Amazon, eBay, or banks. Targets can also be seasonal (e.g., IRS) or capitalize upon social trends (e.g., Facebook). When handling e-mail from what appears to be a trusted entity especially financial or payment processing never click on contained URLs.
8) Fake URLs often lead readers to phishing Websites that solicit private data. According to Avira, common methods include social engineering with look-alike URLs (e.g., replace "I" with "l"), phishing pop-ups on top of real site pages, and exploits that cause browsers to display the real URL, but phishing content (e.g., xss iframe phishing). To evade these tricks, don't depend on human eyes alone to spot fake URLs, keep browsers patched, use a filter, such as IE SmartScreen or Google Safe Browsing, and heed warnings.
7) Spear phishing encourages URL click-thru by incorporating details about the victim name, postal address, employer, partial account number to foster trust and compliance. Alas, this info is can be harvested from public sources (e.g., directories, social sites) and auto-inserted to create personally-tailored bait. An Intrepidus Group analysis of 69,000 workers around the world found that 23 percent fell for spear phishing scenarios. Looks can be deceiving; educate users about common phishing symptoms.
6) Whale phishing -- spear phishing narrowly aimed at high-value targets is on the rise. For example, according to Verisign, one April 2008 "US Tax Court" attack successfully duped nearly 2000 C-level execs into installing an "Acrobat viewer" to read a legal notice. Unfortunately, that viewer was actually a Trojan that forwarded captured keystrokes to a remote command and control center. Denying browser helper object (BHO) installs could have stopped this particular attack. More generally, browsing with minimal privileges can help deter phishing malware.
5) Phishing malware is growing more adept at financial data theft, due in part to organized crime funding. According to the Anti-Phishing Working Group, approximately 2% are now crimeware designed to steal data from specifically-targeted financial institution customers. Another one-third are data stealing and generic Trojans, designed to capture data from and/or remotely control a victim's computer. The rest are worms, phone fraud dialers, and other forms of malicious code. Legitimate anti-malware plays a critical role in fighting this scourge, but users must also beware of rogue (phony) anti-malware over 250,000 new rogue samples were reported in 4Q09.
4) One challenge associated with neutralizing phishing Websites is that a phish that spoofs a given brand can involve dozens of unique domains and hundreds of unique URLs. The APWG's 4Q09 Phishing Activity Trends Report [.pdf] offers the following stats for December: 46,190 unique phishing Websites together targeted a total of 249 brands, using 12,601 unique domains and an average 185.5 URLs per brand. Clearly, it's not enough to block one or two reportedly-bad URLs for a suspicious domain specificity matters.
3) Many security vendors and independent organizations track phishing incidents in near-real-time. According to PhishTank, over 60 percent of the 18,000 phishes reported by members in March 2010 were verified in a medium time of 4.5 hours. Apply a phishing feed at a DNS, firewall, or server can be a relatively transparent way to deter your users from being successfully phished. For example, OpenDNS uses a PhishTank feed to block DNS resolution for all outbound requests involving verified phishing domains.
2) Phishers also exploit domain name resolution, redirecting requests for real URLs to phishing sites. Malware can edit a victim's hosts file to substitute phishing IPs or edit DNS settings to redirect queries to a bogus DNS server. In "fast flux" attacks, the bogus DNS is itself just a "bot" that exists for a brief time, redirecting Web requests to other bots that host phishing sites. According to Arbor Networks, the average lifetime of a fast flux domain name in Q309 was just 9.7 days. A moving target is harder to defend against; good DNS hygiene can reduce the risk of being phished.
1) Finally, being a phishing victim is no phun for consumers or businesses. Trusteer's study Measuring the Effectiveness of In-the-Wild Phishing Attacks [PDF] estimates that just one half of one percent of online banking customers are successfully phished, but those incidents still cause $2.4M to $9.4M in annual losses per one million clients. What should you do if and when you find yourself in that unlucky minority? Check out the AWPG's advice and resources for consumers and Website owners [pdf].
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.
December 08, 2009
Michael Horowitz takes exception to a recent NYT article, which declared online banking to be nothing to worry about, and explains why you should concerned, too.