Bigger Phishers to Fry, Part 1: Calling the Pros
Jul 7, 2008 6:00 AM PT
It's been on the radar of USA Credit Union's IT department for three years. They all knew about it. They were watching it every day. They had also heard rumblings that more and more of their industry counterparts had fallen victim to the attackers, Daniel Schneider, the credit union's senior manager of IT, told TechNewsWorld.
Phishing was definitely moving downstream.
Bringing in the Phisher Kings
Once a problem that was squarely targeted at the big banks of the world, phishing has slowly but surely been making its way down the food chain to seek out more vulnerable targets such as community banks and credit unions. By way of explanation, phishing is the process of luring unsuspecting consumers to a fake Web site by using authentic looking e-mail messages for fraudulent purposes.
For the Auburn Hills, Mich.-based bank, last year was the time to take the job of policing and protection to the next level -- before it became the next in the line of fire.
Rather than handling the effort in-house, it decided to contract anti-phishing services to track and monitor suspect e-mails, crawl the Web for untoward activities, and if needed, move in to perform the takedown with SWAT team-like efficiency.
"When something was brought to our attention, we used to do our own research and analysis and notified authorities," said Schneider. "But that's not our business, so my take on it was to find someone who had the resources to handle it."
As phishing activities mutate into highly resistant plagues attacking financial institutions of all shapes and sizes, buying into the techno-power and smarts of a specialist is rapidly becoming a must-have security accessory for IT managers. It's definitely not a job for the faint of heart. The infrastructure needed to handle the job is huge, the monitoring capabilities extensive, and the policing and follow-up activities more complicated than negotiating an international trade deal.
A Complicated Business
"Phishing used to be easy to handle," said Kevin Joy, Vice President of BrandProtect in Toronto, Canada, a provider of brand monitoring and anti-phishing services. "Attackers would use free Web page services to set up sites that would look like a legitimate bank. These were pretty easy to identify and stop, since all a business had to do was contact the ISP to shut it down," he told TechNewsWorld.
Today's phishers are so sophisticated, they can mimic legitimate sites much more effectively, cloak fake URLs (uniform resource locators), and launch multiple rounds of attacks from different domains. All of this makes the detecting, responding and shutting down of the attacks a nightmare for those whose 9 to 5 job is keeping a business' IT systems up and running.
Hence the push to find outside help. According to a September 2007 Gartner report titled, "Evaluating Brand Monitoring and Anti-Phishing Services," while market share for these services is relatively small to date, "early-detection capabilities will become increasingly useful to enterprises during the next two years, as online threats escalate."
It advises that when evaluating brand-monitoring and anti-phishing services, organizations should look into four functional areas:
- Search and detection capabilities -- the ability to proactively find an attack or threat depends on the breadth of the service's search capability (including multiple languages).
- Domain monitoring -- the ability to monitor millions of DNS (Domain Name System) servers to detect changes in delegation information.
- Analytics -- analysis and prioritization of the threat potential of data/content using near real-time behavior analysis.
- Incident response -- phishing site takedown services, including working with ISPs around the world and forensic services to track information and data flows
E-mail remains the primary delivery mechanism for phishers to launch their attacks, James Brooks, director of product management for anti-phishing specialists Cyveillance in Arlington, Va., told TechNewsWorld. Tracking them can be handled in different ways, including the practice of setting up "honeypot accounts" to attract phishing e-mails.
Monitoring activities also extend to Web site assets. "There are certain attributes about a site that is copied in ways that can be used to identify where the site is used and for what purpose," explained Brooks. Another mechanism in its repertoire is round-the-clock "crawling" through various links though out the Internet to ferret out any untoward activities.
Domain registration tracking alone is a huge task, according to Frederick Felman, chief marketing officer for MarkMonitor, a San Francisco-based brand protection firm. "There are 134 million domain registration record changes or additions every day. One of our hardest jobs is actually maintaining that data. It takes one of the most complex computing systems around," he told TechNewsWorld.
Filtering is an equally massive task. As many as 60 million e-mails may be reduced to 16 million unique potential attacks, Feldman reports. These then have to be boiled down to find the actual attacks -- a job that involves a lot of human inspection and verification in addition to massive computing power.
After all that, there is the labor-intensive job of shutting down the offenders. Dedicated teams are responsible reaching out and contacting an entity hosting an actual attack. That's not as simple as it sounds when one considers the geographical, time and language barriers involved. To start with, multilingual capabilities are a must in this process. A solid reputation in the business is another. "It could be 2 a.m. in Korea and the hosting agency has never heard of you," says Brooks.
Chasing Bigger Phish
A particularly challenging phenomenon that is bringing lots of business to anti-phishing service providers is the rapidly growing practice of rock phishing. Since these highly sophisticated attacks work through multiple ISPs, they can proliferate at a far faster rate than the norm; carry on for extended periods of time; and are extremely difficult to root out at their source.
"It's a lot different than just working with ISPs (to take down single sites)," said Brooks. "If you try to take down each site one-by-one in a rock phish attack, the numbers would be mind-numbing. You have to go to the registrar to find out everyone who is accessing it. Get to that one source and you can neutralize all the other attacks."
As Schneider pointed out, in the escalating war on phishing, getting the know-how on board counts for a lot. "The biggest problem about doing this in house is the sheer manpower needed to handle incoming reports on suspected attacks. Then there's the job of researching it, attacking it and contacting authorities. For us, it was just getting to be too big a job to handle in-house. Our job is to protect our reputation and our members, and you need the right resources to do that."