Hot Topic

Phishing

The following information is excerpted from Secure Computing's free educational whitepaper, Phishing: Organized Crime for the 21st Century. Click here to download the entire whitepaper in PDF format.

Problem Scope

Phishing has become one of today's most significant online security threats. Phishing scams involve sending a message (usually via e-mail, but also infiltrating instant messaging) that is designed to imitate a trusted provider and provides a link ("bait") through which the unsuspecting users can provide information to "update" their account. The e-mail itself is often cleverly designed to look legitimate, bearing the provider's correct logo, colors and a professional presentation. Often the phishing e-mail will tell the user that the "provider" (in this case, the fraudster) urgently needs to update or verify current information in order for the user to continue their account with the provider. Once limited to computing whiz kids or organized crime bandits, phishing is now an activity of the masses, with how-to kits designed to help amateurs create phishing scams available online. Read more >>

Phishing Motivation

The motivation behind phishing is almost always purely financial, as phishing scammers worldwide are reaping tremendous profits. Even if only a fraction of the message recipients actually reply and supply credit card numbers or social security numbers, the scam is a success. The information obtained by the phishers is then sold online in a global public forum. The gap between the time information is gathered and made available for sale by the scammers and the time at which the crime is reported and credit card numbers or other information is invalidated is crucial. During this window, millions of dollars can be stolen, spent and transferred -- the profit for phishers. Until the profit model is changed and the activity is no longer lucrative, phishing will continue. Read more >>

The Cycle of Phishing

Most phishing e-mails are sent via zombie networks. Modeled after the concept of the "network of workstations" from the mid 1990s, zombies are single machines that, together, fuel large phishing attacks. Zombies are infected with "bot" code that reports back to internet relay chat (IRC) to get instructions - and will then accept e-mails from the phisher and relay them to victims. Phishers purchase the use of the zombies - a small price to pay for the profit to be made from the overall scam.

Once a zombie machine is infected it begins the phishing cycle, first receiving instructions from another compromised machine on where to obtain phishing content and then distributing that content to the victims. Instructions to the compromised machines that feed the brains of the zombies are furnished by the phishers. Read more >>

Protecting against Phishing Attacks

Phishing e-mails are designed by scammers to look like legitimate requests from banks and other providers. The scam e-mails are becoming increasingly sophisticated, with many containing true-to-form logos embedded in the e-mail itself, and often a URL that directs the victim to a site used to harvest their information.

Customers want to trust their providers, and enjoy the convenience of online transactions and information provision. The following three components are paramount to protecting users from phishing attacks:

Prevention: Preventing the e-mail containing the "bait" from reaching users.
Education: Educating users on identification of phishing scams.
Penalty and Enforcement: Apprehending and penalizing phishing scam creators.

While each of these components has inherent value independent of the others, in order to truly protect end users from phishing attacks, organizations must incorporate all three elements into a comprehensive messaging security strategy. Read more >>

Combating Phishing

Phishing is largely a social engineering issue. E-mails/messages are sent to users, who then respond to the requests. Users need to be educated to not respond to e-mails (or any messages or electronic communication) attempting to solicit information. Unfortunately, education alone cannot solve the problems seen in phishing. Phishing attacks have evolved to the point that they can deceive even the most educated eyes.

Therefore, combined with education, the best way to mitigate the business and crime risk from phishing is to use technology to prevent phishing e-mails form reaching users. An effective, comprehensive approach is a combination of education, technology and policy. Many technology approaches are currently used, including but not limited to:

White/Black Lists
Signatures
Verifying Web Hosts
Authentication
Sender-Based Reputation Measurement