The news will come as no surprise to those in the financial services sector: today's threat landscape is increasingly dominated by attacks and malicious code used to commit cybercrime. This threat landscape is coming to be dominated by emerging threats such as bot networks, customizable modular malicious code, and phishing. Moreover, the very motivation for attacks has undergone a dramatic change.
"Attackers used to be motivated by fame and notoriety, but today's attackers are more covert, forcing organizations to deal with the added challenge of detecting stealthy attacks designed to quietly steal critical information," says Brian Foster, senior director of product management for Symantec Endpoint Security.
This article examines recent phishing activity, and recommends steps that financial institutions and their end users can take to protect themselves against phishing threats.
Phishing, generally defined as an attempt by a third party to solicit confidential information from an individual, group, or organization for financial gain, continues to be a menace. The number of phishing attempts blocked by Symantec Brightmail AntiSpam filters in the last six months of 2005 indicates a continuation of the increasing phishing activity noted in previous reporting periods. In the last half of 2005, Symantec blocked 1.5 billion phishing attempts, a 44% increase over the 1.04 billion phishing attempts detected in the first six months of 2005. This was also a whopping 175% increase over the 546 million blocked phishing attempts detected in the last six months of 2004.
Symantec believes that the increase in blocked messages is indicative of a continued growth in phishing activity. Phishing most likely continues to increase for three reasons: it is relatively easy to perform, it is often effective, and it can be profitable.
In this same time period, Symantec determined that one in every 119 emails was a phishing attempt, up from one in 125 in the first half of 2005. Symantec detected an average of 7.9 million phishing attempts per day, an increase of 39% over the first half of 2005.
Recent statistics released by the Anti-Phishing Working Group (APWG), an industry association, paint a similarly bleak picture. The total number of unique phishing reports submitted to the APWG in January 2006 was 17,877 – the most reports ever submitted. In addition, the APWG said it detected 9,715 unique phishing Web sites in January; that compares with 4,630 unique sites detected as recently as November 2005.
Symantec recommends that financial institutions protect themselves against phishing threats by filtering email at the server level through the mail transfer agent (MTA). Although this will likely remain the primary point of filtering for phishing, organizations can also use IP-based filtering upstream, as well as HTTP filtering. DNS block lists also offer protection against potential phishing emails. Symantec also recommends that organizations use domain-level or email authentication in order to verify the actual origin of an email message. This can protect against phishers who are "spoofing" mail domains.
The latest edition of the Symantec Internet Security Threat Report also offers this advice:
"Organizations can . . . employ Web server log monitoring to track if and when complete downloads of their Web sites are occurring. Such activity may indicate that someone is using the legitimate Web site to create an illegitimate Web site that could be used for phishing. Organizations can detect phishing attacks that use spoofing by monitoring non-deliverable email addresses or bounced email returned to non-existent users. They should also monitor the purchasing of cousin domain names by other entities to identify purchases that could be used to spoof their corporate domains. This can be done with the help of companies that specialize in domain monitoring; some registrars even provide this service."
And here is what Corillian, a Symantec partner, recently proposed to a prospect in an RFP:
"The best-practices approach to deal with phishing is a defense-in-depth strategy. Corillian understands the layers in this strategy from two points of view: first, from the point of view of the online resource (i.e., how the Web site interacts with its users); second, to detect sites from the point of view of the user (i.e., how the user interacts with the Internet), Corillian suggests domain name registration monitoring, DNS server monitoring, or email filtering (such as Symantec Online Fraud Management). These points provide specific monitoring and response requirements. After the detection of offending sites, the response is takedown and ongoing monitoring.
To detect sites from the point of view of how the resource presents itself to the world, Corillian monitors all traffic requesting access to the resource for malicious or suspicious activity.
Attacks are detected in their earliest possible stage by applying forensic techniques to preemptively detect patterns of suspicious or malicious behavior by site visitors. The Corillian Fraud Detection System (CFDS) provides faster, more consistent, and more comprehensive response than manual Web log review. This enables early detection of suspect behavior related to phishing, fraud, identity theft, money laundering, and cyber attacks. CFDS does not affect Web server performance. The reporting of this tool enhances Internet monitoring and takedown by focusing attention on those who have already begun a phishing attack. CFDS can detect successful and failed cyber attacks, page and server errors, visitor client profiles (operating systems and client software by type), suspicious behavioral patterns (multi-location, multi-ISP, multi-user agent, multi-logon per session), search terms, email referrers, suspicious URLs (unresolved, foreign, domestic), sanctioned country visits, non-cooperating country visits, suspect IP visits, and IP visit summary with full geolocation data (city, country, ISP, organization)."
Given today's increased levels of phishing activity, financial institutions need to be unstinting in their efforts to educate end users about best security practices. That includes recommending antivirus software, antispam software, firewalls, toolbar blockers, and other software detection methods. End users should also be advised never to disclose any confidential personal or financial information unless they can confirm that the request is legitimate.
The Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center, also offers these guidelines:
- Be suspicious of any unsolicited email requesting personal information.
- Avoid filling out forms in email messages that ask for personal information.
- Always compare the link in the email to the link that you are actually directed to.
- Log on to the official Web site, instead of "linking" to it from an unsolicited email.
- Contact the actual business that supposedly sent the email to verify if the email is genuine.
According to the Phish Report Network, phishing is "the fastest-growing segment of spam being sent worldwide today, victimizing both legitimate online companies whose brands are being hijacked and consumers who are unwittingly providing their personal information to criminals." (The Phish Report Network is an industry initiative seeking to slow the spread of phishing attacks by reporting deceptive Web sites to a central database.) Industry experts agree that the escalating phishing problem, if not abated, will continue to result in significant financial losses.
With phishing threats continuing to move across a broad spectrum of the financial services sector, organizations must take a proactive approach to mitigating online fraud and reducing exposure to risks. Financial institutions that implement such an approach will be better positioned to protect their brand and reputation, preserve customer trust in online transactions, reduce fraud and customer support costs, and aid the prosecution of offenders.
Disclaimer: The information contained in this web site is made available for informational purposes only and is not legal advice. The information is provided only as general information which may or may not reflect the most current legal developments. This information is not intended to constitute legal advice or to substitute for obtaining legal advice from an attorney licensed in your state.