Sample article about securing against phishing (converted from .PDF) written by David Geer (Scroll for text).

Home page, writing samples index, full contact and other information at http://www.geercom.com.

High quality layout with complete text of this article in original PDF here ( FREE Adobe Reader required. ).

Page 1
18
Computer
T E C H N O L O G Y N E W S
Published by the IEEE Computer Society
N
ecessity is the mother of
invention. In the computer
industry, that usually means
that when a problem arises,
somebody figures out how to
solve it and make money in the process.
One of the latest computer-related
problems to arise is phishing, in which
e-mails lure unsuspecting victims into
giving up user names, passwords, Social
Security numbers, and account infor-
mation after linking to counterfeit bank,
credit card, and e-commerce Web sites.
Organized crime frequently uses
phishing, noted Ken Dunham, director
of malicious-code intelligence for
iDefense, an online-security company.
In addition, he said, there is a black
market for stolen credit card and Social
Security numbers.
“All fraudsters operate according to
three elements: How hard is it to per-
petrate? What is the risk of getting
caught? What is the reward? It is really
easy to do phishing, there is a very
small chance of getting caught, and
the reward is very high,” explained
Naftali Bennett, CEO of Cyota, which
provides online security for financial
institutions.
For the 12 months ending April
2004, said analyst Avivah Litan with
Gartner Inc., a market research firm,
“there were 1.8 million phishing attack
victims, and the fraud incurred by
phishing victims totaled $1.2 billion.”
Additional institutional costs, such
as installing antiphishing technology
and educating users, totaled about
$100 million, according to George
Tubin, senior analyst with the Delivery
Channels Research Service at the
TowerGroup, a financial-services re-
search and consulting firm. Tubin pre-
dicted that phishing-related fraud
could double this year.
The Anti-Phishing Working Group
(www.antiphishing.org)—a global
consortium of businesses, technology
firms, and law enforcement organiza-
tions—reports that the number of
phishing-related e-mails is growing
rapidly, increasing 28 percent from
July 2004 through March 2005.
So far, phishers have hit only a small
percentage of financial institutions—
150 of 9,000 in the US—but the num-
ber is rising and attackers are targeting
other industries, such as e-commerce,
said APWG secretary general Peter
Cassidy. Nonetheless, major phishing
incidents have already eroded con-
sumer confidence in online banking,
noted Dunham.
Banks and many other affected orga-
nizations are fighting phishing via pub-
lic education. Some companies are
using litigation. For example, Micro-
soft recently filed 117 lawsuits against
people who allegedly used the com-
pany’s trademarked images to create
phishing sites.
However, the focus for numerous
companies is on antiphishing technol-
ogy.
ANTIPHISHING GROWING PAINS
Like phishing itself, antiphishing
technology is new, with many compa-
nies starting to offer services only a year
ago. Most of the companies focus on
only one or two antiphishing tech-
niques. Fighting phishing frequently
requires more complex approaches,
though.
With this in mind, Corillian, Internet
Identity, NameProtect, PassMark
Security, and Symantec recently
formed the Anti-Fraud Alliance to
offer a comprehensive set of strategies.
The antiphishing market hasn’t been
around long enough yet to coalesce
around a few approaches. “Thus,
many companies have delayed adopt-
ing antiphishing measures until the
market matures or they decide that fur-
ther investments in traditional fraud
control measures are more cost-effec-
tive,” said Chuck Wade, a principal
with the Interisle Consulting Group, a
network-technology consultancy.
Regulators want to encourage poten-
tial victims to use antiphishing systems.
For example, the US Federal Deposit
Insurance Corp. (FDIC), which insures
bank deposits and investigates compli-
ance with banking regulations, has rec-
ommended that financial institutions
use such technologies.
In addition, the Financial Services
Technology Consortium (www.fstc.
org)—a group of North American
financial institutions, technology ven-
dors, independent research organiza-
tions, and government agencies—
recently completed a six-month survey
Security
Technologies
Go Phishing
David Geer
Page 2
June 2005
19
tion. However, said the TowerGroup’s
Tubin, few banks have required such
measures out of concern that the addi-
tional effort could cause customers to
avoid Internet banking.
Catching phishers during their prepa-
ration. Phishers spend considerable
time visiting targeted sites, or they use
automated tools to download copies
of Web pages. This lets them more
accurately counterfeit a business’s site.
Corillian, which also develops Web
sites for financial institutions, monitors
and evaluates suspicious traffic on
customers’ sites on weekends, when
most phishers conduct reconnaissance.
Corillian recognizes the signs of an
impending phishing attack by under-
standing hackers’ tools and techniques,
explained Jim Maloney, Corillian’s
chief security executive.
of antiphishing approaches. The group
has recommended technical and oper-
ating requirements for financial insti-
tutions’ antiphishing measures.
FIGHTING PHISHING
Several antiphishing approaches are
becoming popular. One key to many
of these approaches is having Internet
service providers (ISPs) close phishing
Web sites. However, this can be time-
consuming and expensive. And it can
be useless to even try closing sites in
countries that lack or don’t enforce
antihacking laws.
Meanwhile, companies whose Web
sites are targeted by phishers must bat-
tle public perception that they can’t
protect their customers.
Retaliatory services. Several anti-
phishing companies offer retaliatory
services.
“Some security companies
respond by sending phishing sites so
much fake financial information that the
sites can’t accept information from
would-be victims,” explained
Mark
Goines, chief marketing officer of ven-
dor PassMark Security
.
Most phishing sites run off of Web
servers installed on hijacked home
computers and can’t handle much traf-
fic. However, retaliatory services gen-
erally don’t shut down phishing sites
by overwhelming them with traffic, as
occurs in a denial-of-service attack.
They just send the sites as much traffic
as they can handle and dilute their
database with largely false informa-
tion, a process known as poisoning.
Two-factor authentication. Banks
can blunt phishing attacks by requir-
ing online customers to use two-fac-
tor authentication, said Goines. One
factor is a user ID and password, and
the other is an authenticating image
and phrase that the participant prese-
lects with a bank or online vendor.
As Figure 1 shows, an e-mail that a
bank or online business sends to a con-
sumer contains something the phisher
couldn’t have, such as the unique image
and phrase that the user chose when set-
ting up the account, explained Goines.
This proves to the user that the e-mail
came from the bank or business, not a
phisher, and that it is safe to use the pro-
vided link.
Businesses can implement the sys-
tem inside either their Web site’s or
PassMark’s data center. If implemented
on PassMark’s data center, the appli-
cation provides additional protection
by asking participants, before they link
to a Web site from an e-mail note, for
their user IDs for the site and by iden-
tifying their computer’s IP address. The
system verifies that both are correct.
The application then presents cus-
tomers with their preselected image
and phrase along with a request for
their logon password. After receiving
the correct password, the system lets
the customer access the Web site.
The FDIC recommends that US
banks adopt two-factor authentica-
Clicking the link
takes you to the
phisher’s Web
site, which looks
like your bank’s.
To:
From:
Subject:
yourname@yourdomain.com
The Bank
Our Lowest Rates Yet!
1.9% Interest Free Until Paid!
Click Here Now!
To:
From:
Subject:
yourname@yourdomain.com
The Bank
Our Lowest Rates Yet!
1.9% Interest Free Until Paid!
Click Here Now!
C
Ommunity
B
ank
Access My Accounts
Enroll
Learn More
Log In
Username:
Notice - Learn more about fraudulent
emails and how to protect yourself.
Password:
DaveDave
*******
I left my heart
Only you and your banker know your
PassMark; if you see your PassMark,
you’re safe.
The PassMark system also “fingerprints”
the PCs you use and makes them a
second factor of protection from fraud
without additional hardware or
software. Your bank knows it’s you.
C
Ommunity
B
ank
Access My Accounts
Enroll
Learn More
Log In
Username:
Notice - Learn more about fraudulent
emails and how to protect yourself.
DaveDave
*******
I left my heart
Password:
PassMark:
Your bank sends you an e-mail,
that you know is authentic
because it contains an image
and phrase that you chose.
Your login information is
captured by the phisher.
You are then automatically
redirected to your bank’s
official site so you have no
idea that your security has
been compromised.
With complete access to
your account, phishers
can do whatever they
want with your money.
The phisher sends you an
e-mail that looks like it’s
from your bank.
Applications
Operating
software
Hardware
ISP
Network
Phisher
Phisher
Source: PassMark Security
Your bank’s login
screen contains
the same content
that you chose so
you know it’s
authentic.
Figure 1. PassMark Security offers a two-factor authentication system to fight phishing.
Page 3
20
Computer
related information with the US Secret
Service and FBI, said Robert Caldwell,
the company’s director of business
development.
Monitoring chat rooms and domain-
name registries. MarkMonitor’s Brand
Protection and Fraud Protection ser-
vices track online chat rooms and
Internet-address registries for infor-
mation on possible phishing sites.
Every day, the company tracks name
registrations and name changes, said
MarkMonitor CEO Mark Shull.
The company also has an Identity
Tracker service that searches millions
of Internet address records in its whois
and reverse whois directories to iden-
tify the creators or owners of counter-
feit sites, Shull noted.
MarkMonitor uses its findings to try
to convince domain-name registrars to
transfer ownership of domains that
include a company’s name and that are
used for phishing to the victimized
businesses.
Antiphishing browsers. In the near
future, Netscape plans to release a
Web browser designed to resist phish-
ing. Netscape is negotiating with secu-
rity companies to supply the Netscape
8 beta with frequently updated black-
lists of suspected phishing Web sites.
“The browser also uses a whitelist of
[trusted] sites,” explained Netscape
spokesperson Andrew Weinstein.
When a user follows an e-mail link
and visits a trusted site, the browser
automatically renders it. “The browser
will block user access to known phish-
ing sites,” Weinstein noted. When a
user visits a site not on a whitelist or
blacklist, the browser renders it with
enhanced security that disables
ActiveX and JavaScript capabilities,
which phishers could use to exploit
vulnerabilities.
“The Corillian Fraud Detection
System (CFDS) analyzes Web logs to
look for patterns of possible phishing-
related behavior,” he explained. “We
have a set of rules for analyzing logs
and producing suspicious-activity
reports.”
For example, to look more authen-
tic, many phishing sites link to images
on a targeted business’s site, present-
ing them along with bogus information
the hackers provide on their counter-
feit site. The CFDS can check entries in
a bank or other business’s Web logs
and identify phishers who are down-
loading and saving images, which is
unusual behavior for a legitimate
transaction.
The CFDS then identifies counterfeit
sites using customers’ images without
authorization. At that point, Maloney
said, “Corillian can notify the account
holder and law enforcement.”
Phishers frequently verify stolen
information before selling it. When
CFDS identifies a single Internet address
trying to access many of a business’s
online accounts, which is what would
occur during the verification process, it
notifies the company that the accounts
may have been compromised.
Registering deceptive domain names.
NameProtect watches for phishers by
monitoring spam from many sources
,
including e-mail accounts set up to bait
spammers and spam feeds from ISPs. The
product also c
hecks domain-name reg-
istration records and searches the
Internet for counterfeit bank sites under
construction, as located by its Web
crawlers.
If the company’s ActiveIP tool finds
a Web site that includes all or part of a
customer’s trademarked name, an ana-
lyst reviews it to determine if illegal
activity is taking place, explained
James Blystone, NameProtect’s senior
director of marketing.
“We work with the client, the ISP,
and the registrar to immediately close
phishing sites. We can take sites down
as quickly as an hour or two but typi-
cally within 24 hours,” noted Blystone.
NameProtect shares phishing-
Deepnet Explorer 1.4, a browser
shell that uses Internet Explorer to ren-
der Web pages, analyzes Web addresses
and warns users about those on a
blacklist of suspect sites. Users can then
choose to either stop or continue try-
ing to access a site.
“Our blacklist comes from sites col-
lected internally, reported by our users,
and aggregated from our affiliate com-
panies,” noted Deepnet marketing
manager Anneli Ritari.
Tracking. Cyota monitors various
accounts set up specifically to be
tracked if phishers attack them. This
enables companies to observe the
phishing and fraud process and learn
ways to fight back. Cyota tracks
account activities outside a bank’s net-
work, such as on the Internet, while
banks track them within their own
systems.
FUTURE THREATS
Phishers are improving techniques for
making counterfeit Web sites look more
realistic and for convincing visitors to
enter personal information on them.
In addition, phishing attacks are
becoming more sophisticated. For
example, phishers are increasingly
using instant messaging instead of e-
mail, according to the APWG’s
Cassidy. In one type of attack, phish-
ers send IM users a message with a link
to a fake Web site.
Cross-site scripting
“Online criminals are increasingly
using cross-site scripting (XSS) flaws to
inject their own code into legitimate
Web pages and fool unsuspecting con-
sumers into falling for phishing scams,”
said Paul Mutton, a developer with
Netcraft, an Internet services company.
“Cross-site scripting vulnerabilities
in Web server applications cause some
pages to process JavaScript code incor-
rectly. This lets hackers push their own
JavaScript programs, such as fake
password login systems, onto legiti-
mate Web pages,” Mutton explained.
“The majority of phishing Web sites
are only semi-believable, and users are
T e c h n o l o g y N e w s
It appears that
phishing will be a war
of attacks and
counterattacks.
Page 4
starting to see through them,” he said.
“But with cross-site scripting, people
are more likely to fall for the scam.”
XSS can also take advantage of the
session cookies frequently used when
customers log onto banking or e-com-
merce sites. A script injected onto a site
could access a cookie and send it to the
phisher, who could then replicate it and
log onto a victim’s account.
“Companies will see more XSS
threats unless they review server appli-
cations and eliminate the flaw that
enables the attacks,” Mutton predicted.
Malicious code
The recent Crowt.D worm demon-
strated how a virus author could write
code that alters an operating system’s
hosts file, which contains mappings of
IP addresses to host names, and redi-
rect visitors to another site, noted
Jaime Lyndon Yaneza, senior antivirus
consultant with the Global Anti-Virus
Research Group at Internet-security
vendor Trend Micro. Attackers could
use this technique to redirect users to
a phishing site, according to Yaneza.
Attacking companies,
not customers
Rather than targeting a victim’s per-
sonal information, some phishing
schemes attack individuals to gain
access to valuable information in a
company’s database.
Phishers send an e-mail, purportedly
from a company, to the firm’s cus-
tomers promising new application fea-
tures if they link to and log into the
business’s Web site and enter their
account name and password. However,
the site they link to is counterfeit.
Attackers use the account name and
password to enter the company’s real
site and hack their way to network
drives and other network resources,
administrative logon information,
additional online accounts, and sensi-
tive data such as credit card and e-com-
merce logon data, according to
iDefense’s Dunham.
Dunham said phishers use similar
schemes to target a company’s employ-
ees and steal corporate intranet logon
information. This would let attackers
enter a company’s internal network,
steal confidential material, and cause
other problems.
A
ccording to the Tower Group’s
Tubin, antiphishing products,
adopted primarily by larger
nationwide or international banks,
appear to be effective because phishers
recently have started hitting smaller,
regional financial institutions that are
less likely to use the technology.
Despite the technology’s early suc-
cess, MarkMonitor’s Shull stated,
potential victims must remain vigilant.
“The Internet benefits everyone,” he
explained. “It enables enterprises to
reach new customers, and it enables
criminals to do the same.”
As for the future, the APWG’s
Cassidy said phishing will be a war of
escalation, attacks, and counterattacks.
Concluded Bennett, “Phishing is
evolving, so solutions need to evolve,
too.” I
David Geer is a freelance technology
journalist based in Ashtabula, Ohio. Con-
tact him at david@geercom.com.
June 2005
21
Editor: Lee Garber, Computer,
l.garber@computer.org
Investing in Students
www.computer.org/students/
Student members active inIEEE Computer Society chapters
are eligible for the Richard E. Merwin Student Scholarship.
Up to ten $4,000 scholarships are available.
Application deadline: 31 May
SCHOLARSHIP
MONEY FOR
STUDENT
LEADERS