Phishing attacks to remain a major problem, say security experts

By Robert Westervelt, News Editor 13 Oct 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Antispam vendors, browser makers and Internet service providers have been on the front lines in the battle to contain phishing attacks, but the cybercriminals behind phishing campaigns are getting savvy at defeating technologies and tricking victims into giving up their credentials and other data.

Phishing has evolved since it was first detected about five or six years ago when poorly worded email messages attempted to dupe the least Internet savvy users into clicking a link to a phishing website. The technique was easily detectable in the early days, but in 2009, phishers have taken the method to a whole new level.

Automated toolkits enable even the least technically savvy phisher to buy and maintain hundreds and even thousands of phishing domains designed to look like legitimate websites. While the primary means of phishing still relies on spam messages, phishers are turning to social networks, such as Twitter, Facebook and others to spread malicious links. Social engineering techniques have gotten better, making phishing messages more difficult for end users to distinguish. Even legitimate websites -- if they contain a vulnerability --are at risk of hosting malicious code resulting in a man-in-the-middle attack designed to steal the credentials of visitors.

"Whether it is phishing or malware, the one thing we cannot do is blame the victims," said Mary Landesman, senior security researcher at Web security services vendor ScanSafe Inc. "The world has changed in terms of security risks and I don't think by and large that people's perceptions have."

Despite all the technologies designed by security vendors to root out phishing attacks and malware; despite multiple raids by the FBI to shut down phishing rings and despite the FTC's action earlier this year to shut down a rogue ISP known for hosting phishing domains, security experts say more needs to be done to educate end users and help registrars and ISPs identify and shut down phishing websites.

"If can imagine the volume of websites registered on daily basis it's difficult for them to get a handle over it," said Dermot Harnett, the principal analyst for antispam engineering at Symantec. "Phishing toolkits have resulted in less complexity and it's relatively cheap if someone wants to start up with hundreds and even thousands of domains."

According to statistics collected by Symantec, 25% of phishing URLs in September were generated using phishing toolkits. The number was even greater in August when a popular phishing toolkit was used by a number of cybercriminals.

Phishers are turning to typo squatting, registering websites one or two letters off of a popular legitimate website, with the hopes that a person types the wrong key, landing on the phishing Web page. Making tracking and shutting down of phishing domains even more difficult is the use of free Web hosting services, which require little to almost no information to register and maintain, Harnett said. According to Symantec, more than 110 Web hosting services were used in September, which accounted for 11% of phishing attacks.

Technology is helping reduce the threat, said Dave Jevans, founder and chairman of the Anti-Phishing Working Group (APWG), Antiphishing measures such as extended validation EV SSL certificates have been implemented as features embedded in browsers to help people determine if a website is legitimate. Two-factor authentication deployed at many financial institutions as part of account login procedures have helped reduce the threat, Jevans said.

Jevans said the actions of the FBI and Egyptian authorities to shut down more than 100 people involved in an international phishing ring could have a deterring affect, but measuring its success will be difficult, he said. Instead, Jevans and others are working with the Internet Corporation for Assigned Names and Numbers (ICANN) to develop a way registrars can remove domains responsible for phishing and drive-by malware attacks.

"We are coming closer to opening up better communication with ISPs and registrars," Jevans said. "It's not something that will be solved overnight or even in the next year or two."

ISPs have recently come on board to design better user education campaigns with the hopes of reaching out to home users with little or no technical expertise, Jevans said. User education can be the easiest and most cost effective way to combat phishing. The simple action of regularly changing your password could help most people avoid showing up on the next list of victims, said ScanSafe's Landesman.

"Even if you have to write your passwords on a sticky note and post it to your computer screen, change your passwords," Landesman said. "You're more likely to get a phishing email or download malware than have someone break in and steal your computer and your sticky note."

Tags: Email and Instant Messaging Security,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and Instant Messaging Security Websense integrated security system aims to simplify security management Preventing phishing attacks: Enterprise best practices Chinese hacker attacks target Google Gmail accounts, top tech firms PDF attack code complicates security analysis, skirts detection Understand role-based access control in Microsoft Exchange 2010 Yahoo login credentials at risk to hijacking attack Top spammer gets four years in jail for stock fraud scheme M86 buys Web security gateway vendor Finjan Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel How to prevent Adobe hacks from affecting your organisation Securing Web applications with Web application firewalls CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary