[BreachExchange] Phishing: The basics

[Audrey McNeil]

http://www.csoonline.com/article/2117843/phishing/identity-theft-prevention-
phishing-the-basics.html

Phishing is a method of trying to gather personal information using
deceptive e-mails and websites. Typically, a phisher sends an e-mail
disguised as a legitimate business request. For example, the phisher may
pass himself off as a real bank asking its customers to verify financial
data. (So phishing is a form of "social engineering".) The e-mail is often
forged so that it appears to come from a real e-mail address used for
legitimate company business, and it usually includes a link to a website
that looks exactly like the bank's website. However, the site is bogus, and
when the victim types in passwords or other sensitive information, that
data is captured by the phisher. The information may be used to commit
various forms of fraud and identity theft, ranging from compromising a
single existing bank account to setting up multiple new ones.

Early phishing attempts were crude, with telltale misspellings and poor
grammar. Since then, however, phishing e-mails have become remarkably
sophisticated. Phishers may pull language straight from official company
correspondence and take pains to avoid typos. The fake sites may be
near-replicas of the sites phishers are spoofing, containing the company's
logo and other images and fake status bars that give the site the
appearance of security. Phishers may register plausible-looking domains
like aolaccountupdate.com, mycitibank.net or paypa1.com (using the number 1
instead of the letter L). They may even direct their victims to a
well-known company's actual website and then collect their personal data
through a faux pop-up window.

Can phishing attacks be prevented?

Companies can reduce the odds of being targeted, and they can reduce the
damage that phishers can do (more details on how below). But they can't
really prevent it. One reason phishing e-mails are so convincing is that
most of them have forged "from" lines, so that the message looks like it's
from the spoofed company. There's no way for an organization to keep
someone from spoofing a "from" line and making it seem as if an e-mail came
from the organization.

A technology known as sender authentication does hold some promise for
limiting phishing attacks, though. The idea is that if e-mail gateways
could verify that messages purporting to be from, say, Citibank did in fact
originate from a legitimate Citibank server, messages from spoofed
addresses could be automatically tagged as fraudulent and thus weeded out.
(Before delivering a message, an ISP would compare the IP address of the
server sending the message to a list of valid addresses for the sending
domain, much the same way an ISP looks up the IP address of a domain to
send a message. It would be sort of an Internet version of caller ID and
call blocking.)

Although the concept is straightforward, implementation has been slow
because the major Internet players have different ideas about how to tackle
the problem. It may be years before different groups iron out the details
and implement a standard. Even then, there's no way of guaranteeing that
phishers won't find ways around the system (just as some fraudsters can
fake the numbers that appear in caller IDs). That's why, in the meantime,
so many organizations—and a growing marketplace of service providers—have
taken matters into their own hands.

How can companies reduce the chance of being targeted by a phishing attack?

In part, the answer has to do with NOT doing silly or thoughtless things
that can increase your vulnerability. Now that phishing has become a fact
of life, companies need to be careful about how they use e-mail to
communicate with customers. For example, in May 2004, Wachovia's phones
started ringing off the hook after the bank sent customers an e-mail
instructing them to update their online banking user names and passwords by
clicking on a link. Although the e-mail was legitimate (the bank had to
migrate customers to a new system following a merger), a quarter of the
recipients questioned it.

As Wachovia learned, companies need to clearly think through their customer
communication protocols. Best practices include giving all e-mails and
webpages a consistent look and feel, greeting customers by first and last
name in e-mails, and never asking for personal or account data through
e-mail. If any time-sensitive personal information is sent through e-mail,
it has to be encrypted. Marketers may wring their hands at the prospect of
not sending customers links that would take them directly to targeted
offers, but instructing customers to bookmark key pages or linking to
special offers from the homepage is a lot more secure. That way, companies
are training their customers not to be duped.

It also makes sense to revisit what customers are allowed to do on your
website. They should not be able to open a new account, sign up for a
credit card or change their address online with just a password. At a
minimum, companies should acknowledge every online transaction through
e-mail and one other method of the customer's choosing (such as calling the
phone number on record) so that customers are aware of all online activity
on their accounts. And to make it more difficult for phishers to copy
online data-capture forms, organizations should avoid putting them on the
website for all to see. Instead, organizations should require a secured
log-in to access e-commerce forms.

At the end of the day, though, better authentication is the best way to
decrease the likelihood that phishers will target your organization.

What plans should my company have in place before a phishing incident
occurs?

Before your organization becomes a target, establish a cross-functional
anti-phishing team and develop a response plan so that you're ready to deal
with any attack. Ideally, the team should include representatives from IT,
internal audit, communications, PR, marketing, the web group, customer
service and legal services.

This team will have to answer some hard questions, such as:

* Where should the public send suspicious e-mails involving your brand? Set
up a dedicated e-mail account, such as fraud at domainname.com, and monitor it
closely.

* What should call center staff do if they hear a report of a phishing
attack? Make sure that employees are trained to recognize the signs of a
phishing attack and know what to tell and ask a customer who may have
fallen for a scam.

* How and when will your organization notify customers that an attack has
occurred? You might opt to post news of new phishing e-mails targeting your
company on your website, reiterating that they are not from you and that
you didn't and won't ask for such information.

* Who will take down a phishing site? Larger companies often keep this
activity in-house; smaller companies may want to outsource.

If you keep the shut-down service in-house, a good response plan should
outline whom to contact at the various ISPs to get a phisher site shut down
as quickly as possible. Also, identifying law enforcement contacts at the
FBI and the Secret Service ahead of time will improve your chances of
bringing the perpetrator to justice.
If a vendor is used, decide what the vendor can do on your behalf. You may
want to authorize representatives to send e-mails and make phone calls, but
have your legal department handle any correspondence involving legal action.

* When will the company take action against a phishing site, such as
feeding it inaccurate information or exploiting vulnerabilities in its
coding? Talk out the many pros and cons beforehand.

* How far will you go to protect customers? Decide how much information
about identity theft you'll give to customers who fall for a scam, and how
this information will be delivered. You should also talk through scenarios
in which you will monitor or close and re-open affected accounts.

* Are you inadvertently training your customers to fall for phishing scams?
Educate the sales and marketing teams about characteristics of phishing
e-mails. Then, make sure legitimate e-mails don't set off any alarms.

How can we quickly find out if a phishing attack has been launched using
our company's name?

Sometimes a new phish announces itself violently, as an organization's
e-mail servers get pummeled with phishing e-mails that are bouncing back to
their apparent originator. There are other ways to learn about an attack,
though—either before or after it occurs.

a) Monitor for fraudulent domain name registrations.

Phishers often set up the fake sites several days before sending out
phishing e-mails. One way to stop them from swindling your customers is to
find and shut down these phishing sites before phishers launch their e-mail
campaigns. You can outsource the search to a fraud alert service. These
services use technologies that scour the Web looking for unauthorized uses
of your logo or newly registered domains that contain your company's name,
either of which might be an indication of an impending phishing attack.
This will give your company time to counteract the strike.

b) Set up a central inbox. To do this, organizations typically set up one
e-mail address where all suspected phishing e-mails are directed, with an
address such as fraud at domainname.com or phish at domainname.com. Ideally, this
central inbox should be monitored 24/7.

The easiest and most effective way to find out if your organization is
being targeted by phishers is simply by giving the general public a way to
report phishing attacks. "It's your customers and noncustomers who are
going to be the ones that tell you that the phish is out there," said one
security manager interviewed for a case study published in

c) Watch your Web traffic. Internet Storm Center recommends that by
examining web traffic logs and looking for spikes in referrals from
specific, heretofore unknown IP addresses, CSOs may be able to zero in on
sites used for large-scale phishing attacks.

After gathering victims' information, many phishing sites then redirect the
victim to a log-in page on the real website the phisher is spoofing.

How can we help our customers avoid falling for phishing?

People who know about phishing stand a better chance of resisting the bait.
"The best defense is that a consumer has heard of phishing and is unlikely
to respond," says Patricia Poss, an attorney with the Bureau of Consumer
Protection at the Federal Trade Commission. People must be trained to think
twice about replying to any e-mail or pop-up that requests personal
information.

Teach employees how to recognize spoofed e-mail. Similarly, warn your
customers about the dangers of phishing, and let them know you'll never ask
for their account number, password, Social Security number or any other
personal information via e-mail. Train them to avoid clicking on e-mail
links to reach you and instead to type your company's URL directly into a
new browser window.

However, there's only so much that customer education can do. The onus is
also on the organization to limit the damage by shutting down the phishing
site.

If an attack does happen, how should we respond?

Once a phishing attack occurs, the goal for the organization is to get the
phishing site shut down as quickly as possible. This limits the window of
opportunity in which the phisher can collect personal information. With any
phishing attack, organizations should take three steps (or hire a firm to
take these steps for them).

Step 1) Gather basic information about the attack. This should include
screen shots of the website plus the URL.

Step 2) Contact the ISP (or whoever is hosting the website). Explain the
situation and ask that the site be shut down. Many phishing sites are
launched on hacked computers, so in a best-case scenario, taking down the
site is simply a matter of contacting a website's owners, pointing them to
the URL of the webpage, and asking them to remove the offending content
(and patch their web servers).

Step 3) Contact law enforcement. Although this is an important step, be
warned that it isn't necessarily the most effective way to get the site
shut down quickly. The FBI and Secret Service are more concerned with
patterns and big busts than individual ones, and until a customer has
fallen for a scam and suffered damages, there may have been no law broken.
Nevertheless, agents may be able to intervene on your behalf—and who knows,
your case may be part of the bigger picture investigation needed to shut
down a given fraudster. (This has happened. In May 2005, a 20-year-old
Texas man was sentenced to almost four years in prison for phishing.)

By establishing a relationship with law enforcement, you'll come to
understand when agents want information about what kinds of attacks. For
instance, the bank in the aforementioned CSOcase study gets a compact disc
from its vendor with information about each phish, and a copy of that CD is
then passed on to the FBI, which looks for patterns or anomalies in the
attacks.

Does all this sound like too much for your company? Then pay someone else
to do it for you. The marketplace is brimming right now with companies that
will do the dirty work.

Responders at a good service provider will have expertise in working their
way up the network stream seeking someone who can and will shut down the
site. They try to work with the ISP or Web hosting company, and then if
necessary contact the domain name registrar that's directing the URL to a
given IP address. They'll send e-mails and faxes; they'll make phone calls.
If necessary, they'll send notices threatening legal action. Often, when
the site is hosted outside the United States, they'll seek help from local
groups of first responders organized by CERT/CC at Carnegie Mellon. The end
result? The phishing website might be up for hours instead of days.

How might phishing attacks evolve in the near future?

At the same time, phishers have also grown more sophisticated in their use
of e-mail address lists. A phishing e-mail targeting a regional credit
union, for example, may be sent only to customers who use ISPs located in
that same area. The latest and perhaps ultimate personalization? A
technique known as "spear phishing," in which e-mails are customized for
particular users, for example executives at certain kinds of companies.

Meanwhile, as customers become more savvy about the risks of divulging
personal information, fraudsters are looking for ways to gather information
without the victims' knowledge. This is often done with a method known as
pharming. Like phishing, pharming aims to collect personal information from
unsuspecting victims. The difference is that pharming doesn't rely on
e-mail solicitation to ensnare its victims. Instead, this attack method
essentially tinkers with the road maps that computers use to navigate the
Web, such that large numbers of users can wind up giving personal data to a
bogus site even if they've typed in a legitimate URL.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170712/0d5b525e/attachment.html>