Prepare to fight Internet fraud surge, says expert

By Ron Condon, U.K. Bureau Chief 12 Oct 2009 | SearchSecurity.co.uk

Enterprise IT tips and expert advice Digg This!     StumbleUpon     Del.icio.us

The warning follows the publication this week of around 20,000 webmail credentials on a public website. The details are thought to have been gathered through a phishing email asking people to re-confirm their webmail details. Around 10,000 Hotmail users were affected, plus a variety of users of other webmail services.

The list of details showed up on a software developers' website called Pastebin.com, which normally just acts as a place for developers to exchange ideas.

"This should be a concern especially for those companies that, in the current economic climate, have moved more of their business online," said Wiliam Beer, a director of the OneSecurity practice at PricewaterhouseCoopers LLP.

He said that companies need to learn to react faster to fight Internet fraud. "The criminals are very nimble and quick in developing new ways of operating, while companies tend to be very process-oriented. They are slow to react," he said. "They end up firefighting rather than taking a more strategic approach to the problem."

Phishing skyrockets! A recent report found phishing websites reaching the second highest level ever recorded.

Beer said that companies should make sure their security teams have authority within their organisations, and they should make it easy for defence progammes to be enacted very quickly

But with tight budgets, he warned that enterprises will struggle to find the right resources as online fraud continues to grow. "While technical skills are required [to tackle the problem], specialists need to be able to engage with business leaders and build business cases," he said.

This latest theft of webmail credentials illustrates how the criminals can make use of low-value information as a springboard to gain more valuable personal and financial details. According to security firm Websense Inc., the last few days saw a surge in the number of spam emails sent from Yahoo!, Gmail and Hotmail accounts.

The messages were sent from user accounts to contacts in their address books, therefore appearing to be genuine. The emails recommended a product that could be bought from a website that was actually a fake. Those who were tempted to buy handed over their credit card or bank details, thereby providing the Internet fraudsters with the information they wanted.

"This is just another example of online fraudsters becoming increasingly adept at gaining personal and confidential information from unsuspecting victims," said Carl Leonard, European threat manager for Websense, in a statement. "Websense Security Labs have found that 37% of malicious Web attacks over the last six months included data-stealing code, demonstrating that attackers are clearly after essential information and personal data." In the same period, 85.6 percent of all unwanted emails contained links to spam sites and/or malicious websites, according to Websense.

And this week, the banking body Financial Fraud Action UK announced that the cost of online banking fraud had risen by 55% to a record £39 million during the first half of 2009.

But what can companies do if phishers impersonate them? Although phishing scams cannot be directly prevented by companies, PWC's Beer said organisations could do more to communicate good practice to customers. "This is not a technical problem, but companies need to give more focus to communication to inform their customers," he said.

According to Chris Barling, managing director of Actinic Ltd, a supplier of e-commerce website software mainly to small businesses, there is cause for optimism in some of the latest figures.

He pointed out that the statistics from Financial Fraud Action UK show an 18% decrease in card-not-present fraud for the first half of this year. Barling said the decline was largely due to increased use of the 3D Secure scheme, a technical standard created by Visa and MasterCard, that adds a further security check and authentication for online purchases.

Barling agreed that user education was vital to help them avoid falling for phishing scams, but insisted that consumers are well protected. "Online buyers take very little risk. They have an unqualified right to a chargeback for any fraudulent transactions made in their name. It's the merchants that complain that the card companies always side with the buyer."

Tags: Email and Instant Messaging Security,  Data Protection Solutions and Strategy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and Instant Messaging Security Websense integrated security system aims to simplify security management Preventing phishing attacks: Enterprise best practices Chinese hacker attacks target Google Gmail accounts, top tech firms PDF attack code complicates security analysis, skirts detection Understand role-based access control in Microsoft Exchange 2010 Yahoo login credentials at risk to hijacking attack Top spammer gets four years in jail for stock fraud scheme M86 buys Web security gateway vendor Finjan Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary