Most people would have heard about the scam where a fake e-mail is sent to a user's e-mail account posing as a bank or credit card provider. The number of phishing e-mails (as this particular scam is known) continues to rise at a shocking rate, with new copycat Web sites being launched as soon as one is closed down. So much so, that phishing now represents the biggest form of online identity theft.
How a phishing attack strikes
In its basic form, phishing works by persuading users to give away confidential information -- such as their credit card details or online banking passwords -- on replica bank or credit card provider Web sites.
Since phishing first emerged, these bogus Web sites have become increasingly more sophisticated in the way they mimic the original versions. They are also growing at a rapid rate: according to the Anti-Phishing Working Group, there were 20,109 unique phishing reports received in May 2006, representing an increase by three thousand attacks since April; the worst-ever recorded.
Phishing has become a global phenomenon, with international gangs launching attacks in multiple countries. As such, law authorities have begun to take phishing threats seriously, with investigations taking place.
According to an article in The New York Times, phishing has a relatively high success rate, with between 5 per cent and 20 per cent of e-mails resulting in a victim entering their private details into a bogus Web site.
Unsurprising then that phishing has left many victims in its wake. For example, in India, last year, employees of a Chennai-based company were arrested for illegally accessing business critical information and selling it to competitors.
Sophisticated phishing attacks can really hurt you!
However, as Internet users have become more vigilant, phishing scams have had to evolve into more sophisticated security attacks. Earlier versions of phishing e-mails required the recipient to visit what appeared to be their bank or credit card provider's Web site and manually input their passwords.
Now, a new breed of phishing e-mails simply requires the recipient to click on an embedded link in the e-mail. In the past, some phishing e-mails were poorly put together and clearly recognisable as fraudulent. By contrast, today's scams are more sophisticated and might relate to a plausible, but fictitious, credit card order.
However, one click on the link activates the downloading of a Trojan worm to the user's computer. This piece of malware then monitors the user's surfing activity and when they enter their bank URL, for example, transports them to a bogus Web site, giving criminals easy access to any confidential passwords and log-in details.
To make matters worse, this is all conducted invisibly, without users ever realising they have been victims of phishing, until they check their financial statements and receive an unpleasant surprise.
This new form of phishing is more likely to be successful as well, since there is no way a user can stop the keylogger application from downloading once they have clicked on the embedded link. It is also a lot easier to access a user's details via this method than by hacking into a bank account and could, potentially, be more lucrative.
The last couple of years witnessed a global shift towards profiting from current events. Donation scams for natural disasters where Web sites purport to collect donations for tsunami or Hurricane Katrina victims, but instead the money goes straight to the pockets of cyber-criminals, are prime examples.
During the last month, we witnessed two malicious incidents that have combined the use of telecommunications and the Web.
Unlike the older generation of phishing scams, new phishing attacks carry the potential of affecting far more people than the original recipient. An employee working at home on their company laptop receiving a phishing e-mail, for example, might click on a link, which could then infect other computers when his laptop is reconnected to the network.
If many employees are accessing their bank details online, this offers potentially massive spending power for hackers. It also could compromise a company's own finances and confidential information.
A real security threat for businesses today
Seen in this light, phishing is a real security threat for businesses today. Traditional hacking tools pose less of a risk since firewall technology is more advanced now and can prevent attacks from extending past the perimeter of a company's IT infrastructure.
Some phishing attacks also combine a phishing attack and computer virus in one, launching a nasty, dual assault on businesses.
Unfortunately, even guaranteeing that your organisation is up-to-date with the latest security patches is not enough to prevent an attack.
Anti-spam software also fails to offer a guaranteed method of protection, since the words and phrases used in the fake web address often appear to be from a normal bank and might escape through the filter.
In addition, such software places an extra burden on the shoulders of the administrative team, since they need to undertake the cumbersome tasks of checking every URL entering the firewall and creating a database of those that contain harmful malware applications or viruses.
Ultimately, these applications put the onus on employees to realise a security breach has happened and let the network administrator know that the rest of the network needs to be isolated from the infected system.
A multilayered approach to corporate network security
As attacks become more sophisticated, point security products are not enough on their own to fortify every corner of an organisation's defences. Today's solution lies in a multi-layered approach to IT security. This has the dual benefits of preventing employees from accessing counterfeit Web sites via phishing attacks and, failing this, of protecting the corporate network from becoming infected by another machine.
As well as having a security application at the Internet gateway level, researching the URLs entering the company's firewall and updating the URL database with security updates, an organisation needs to ensure that, should the worse case scenario occur and an infected laptop reconnect to the network, they have in place a security application offering 'Zero Day' protection.
This blocks unknown security threats by allowing only approved applications to run on corporate PCs and servers. In a worse case scenario, it prevents malware from running, providing a vital window of opportunity for network administrators to send out security updates to other PCs and servers.
With 'Zero Day' protection available from companies providing Web security solutions, organisations no longer have to rely on their employees' vigilance in keeping up-to-date with new forms of phishing attacks, and thereby take no chances in securing their corporate network.
How to be safe: Websense's tips
- Avoid unknown Web sites and be suspicious of e-mail messages from any company asking for personal or financial information such as user names and passwords, credit card numbers, and other sensitive personal information.
- Never follow a link in an e-mail if you suspect the message might not be genuine. Instead, go directly to the valid company's site then log on from there or call the company directly.
- If you want to find your Online bank, always type its URL into your browser.
- Ensure that any Web site visited is secure when submitting sensitive information such as credit card numbers. Look for the padlock icon in the browser's toolbar, which signifies a secure site.
- Do not open attachments in e-mails unless you are absolutely sure you're waiting to receive that particular file.
- Ensure that your browser is up-to-date and security patches are always promptly applied. For IE (Internet Explorer) browsers, a special patch relating to certain phishing schemes can be downloaded at microsoft.com securely. You can even consider an alternate browser such as Firefox or Opera, as IE has often been a favourite hacker target.
- Keep your PC operating system up to date and update your anti-virus software frequently.
- Use a personal firewall.
- You can use one of the many available antiphishing toolbars that can alert you when you encounter a known Phishing Site.
- You can also get software to detect and remove spyware.
- Do not use the same password for all of your online accounts.
- Do not store online account information and passwords in files held on your computer.
- Knowledge is still extremely important in protection - especially as it has become so difficult to know if an e-mail is valid or not. It is important to educate oneself on Internet fraud. There are several Web sites dedicated to giving free education regarding Internet fraud. The Anti-Phishing Working Group provides information/ reports on the latest Phishing attacks. The Websense Security Labs send out security alerts as and when attacks occur.