Just how big of a problem is the new breed of email attack known as “phishing”? A number of recent reports suggest that small businesses would be well advised to raise their levels of defense.

According to researcher Gartner Inc., the number of these online scams has spiked in the last year, leading more and more individuals to divulge sensitive information to criminals. In a study conducted in April, 2004 (“Phishing Attack Victims Likely Targets for Identity Thefts”), Gartner surveyed 5,000 adult Internet users and found that around 3 percent of those surveyed reported giving up personal financial or personal information after being drawn into a phishing scam, which typically uses email messages and Web pages designed to look like correspondence from legitimate online businesses. A success rate of 3 percent is more than enough to encourage further attacks, Gartner noted.

The survey results suggest that as many as 30 million adults have experienced a phishing attack and that 1.78 million adults may have fallen victim to the scams.

For its part, the Anti-Phishing Working Group, a volunteer consortium that monitors online scams, reported last month that it tracked 402 unique phishing scams in March, an increase of 43 percent from February.

Attacks are getting more sophisticated
Now it appears that scammers are pushing phishing to a new level. Rather than relying on victims’ gullibility, scammers are taking their cues from virus writers to exploit software vulnerabilities and plant Trojans on targeted computers.

Earlier this month, the technology newspaper eWEEK reported that an email message began circulating recently with the purpose of installing a Trojan known as Sepuc. The email has no subject line and no text in the body of the message. When the user opens the message, code hidden in the email attempts to exploit a known vulnerability in Microsoftâ Internet Explorer browser to force a download from a remote machine.
This file then downloads several other pieces of code and eventually installs a Trojan capable of gathering data from the PC and sending it to a remote machine, experts say.

“The most worrisome aspect of this attack,” eWEEK concluded, “is that, unlike previous scams, victims would likely have no idea that they had done anything wrong.”

Also causing concern is a scam that exploits an Internet Explorer flaw in order to install a keystroke logger on compromised PCs to steal user names and passwords.

Fortunately, such developments have not gone unnoticed by law enforcement officials. Indeed, the FBI has characterized phishing as “the hottest, and most troubling, new scam on the Internet.”

Fighting back
What can companies do to prevent being duped by these increasingly sophisticated attacks? For starters, security experts say companies should continually “sweep the Internet” to look for fake Web sites, adding that it's often just a matter of doing extensive Web searches.

A number of companies that have been stung by phishing scams are taking the opportunity to improve their communications with customers. Some have posted messages on their Web sites outlining how they customarily communicate with customers. The sites also discuss ways real company representatives contact customers to check on account status.

The Anti-Phishing Working Group, meanwhile, is urging financial institutions, payment processors, and e-commerce vendors to adopt what it calls “three classes of preventative technology solutions:"

• Strongly authenticate any users visiting a business Web site using two-factor authentication. This approach would require all users of legitimate e-commerce and e-banking sites to strongly authenticate themselves to the site using a physical token such as a smart card.

• Use enhanced DNS capabilities to verify the IP address of a sender’s email server. For this method to be effective, all ISPs, Web email providers, and corporations must publish their mail server authentication information, as well as install mail server authentication software as part of their email filters.

• Use S/MIME digital signatures to sign outbound mail and provide signature verification at the gateway or email client. This way, if an email arrives in a user’s inbox and is not signed, or whose signature cannot be verified, the user would know that it is not genuine.

Conclusion
Phishing, as you can see, is showing disturbing signs of evolving, with attacks becoming savvier and attackers beginning to share code and techniques with virus writers and so-called crackers. The consequences could be severe. Gartner believes that the double-digit expansion of U.S. e-commerce will slow down unless service providers adequately address consumer security concerns in the form of strong authentication. For small businesses, now is the time to educate their users on how to spot a phishing attack. Bottom line: email requests for passwords, credit card numbers, and other private data are never legitimate.