As phishers get more sophisticated and target larger numbers of Internet users, those who work to thwart them also are honing their skills. It's turning into a cat-and-mouse game, with the stakes growing higher and the challenge for security experts getting tougher every day.
Listen to Your Customers, Grow Your Bottom Line.
Learn how loyal customers can be your best advocates for evangelizing your products and brand, while helping you to dramatically gain new business. Download "Customer Experience Management: Engaging Loyal Customers to Evangelize Your Brand."
It's been on the radar of USA Credit Union's IT department for three years. They all knew about it. They were watching it every day. They had also heard rumblings that more and more of their industry counterparts had fallen victim to the attackers, Daniel Schneider, the credit union's senior manager of IT, told TechNewsWorld.
Phishing was definitely moving downstream.
Once a problem that was squarely targeted at the big banks of the world, phishing has slowly but surely been making its way down the food chain to seek out more vulnerable targets such as community banks and credit unions. By way of explanation, phishing is the process of luring unsuspecting consumers to a fake Web site by using authentic looking e-mail messages for fraudulent purposes.
For the Auburn Hills, Mich.-based bank, last year was the time to take the job of policing and protection to the next level -- before it became the next in the line of fire.
Rather than handling the effort in-house, it decided to contract anti-phishing services to track and monitor suspect e-mails, crawl the Web for untoward activities, and if needed, move in to perform the takedown with SWAT team-like efficiency.
"When something was brought to our attention, we used to do our own research and analysis and notified authorities," said Schneider. "But that's not our business, so my take on it was to find someone who had the resources to handle it."
As phishing activities mutate into highly resistant plagues attacking financial institutions of all shapes and sizes, buying into the techno-power and smarts of a specialist is rapidly becoming a must-have security accessory for IT managers. It's definitely not a job for the faint of heart. The infrastructure needed to handle the job is huge, the monitoring capabilities extensive, and the policing and follow-up activities more complicated than negotiating an international trade deal.
"Phishing used to be easy to handle," said Kevin Joy, Vice President of BrandProtect in Toronto, Canada, a provider of brand monitoring and anti-phishing services. "Attackers would use free Web page services to set up sites that would look like a legitimate bank. These were pretty easy to identify and stop, since all a business had to do was contact the ISP to shut it down," he told TechNewsWorld.
Today's phishers are so sophisticated, they can mimic legitimate sites much more effectively, cloak fake URLs (uniform resource locators), and launch multiple rounds of attacks from different domains. All of this makes the detecting, responding and shutting down of the attacks a nightmare for those whose 9 to 5 job is keeping a business' IT systems up and running.
Hence the push to find outside help. According to a September 2007 Gartner (NYSE: IT) report titled, "Evaluating Brand Monitoring and Anti-Phishing Services," while market share for these services is relatively small to date, "early-detection capabilities will become increasingly useful to enterprises during the next two years, as online threats escalate."
It advises that when evaluating brand-monitoring and anti-phishing services, organizations should look into four functional areas:
E-mail remains the primary delivery mechanism for phishers to launch their attacks, James Brooks, director of product management for anti-phishing specialists Cyveillance in Arlington, Va., told TechNewsWorld. Tracking them can be handled in different ways, including the practice of setting up "honeypot accounts" to attract phishing e-mails.
Monitoring activities also extend to Web site assets. "There are certain attributes about a site that is copied in ways that can be used to identify where the site is used and for what purpose," explained Brooks. Another mechanism in its repertoire is round-the-clock "crawling" through various links though out the Internet to ferret out any untoward activities.
Domain registration tracking alone is a huge task, according to Frederick Felman, chief marketing officer for MarkMonitor, a San Francisco-based brand protection firm. "There are 134 million domain registration record changes or additions every day. One of our hardest jobs is actually maintaining that data. It takes one of the most complex computing systems around," he told TechNewsWorld.
Filtering is an equally massive task. As many as 60 million e-mails may be reduced to 16 million unique potential attacks, Feldman reports. These then have to be boiled down to find the actual attacks -- a job that involves a lot of human inspection and verification in addition to massive computing power.
After all that, there is the labor-intensive job of shutting down the offenders. Dedicated teams are responsible reaching out and contacting an entity hosting an actual attack. That's not as simple as it sounds when one considers the geographical, time and language barriers involved. To start with, multilingual capabilities are a must in this process. A solid reputation in the business is another. "It could be 2 a.m. in Korea and the hosting agency has never heard of you," says Brooks.
A particularly challenging phenomenon that is bringing lots of business to anti-phishing service providers is the rapidly growing practice of rock phishing. Since these highly sophisticated attacks work through multiple ISPs, they can proliferate at a far faster rate than the norm; carry on for extended periods of time; and are extremely difficult to root out at their source.
"It's a lot different than just working with ISPs (to take down single sites)," said Brooks. "If you try to take down each site one-by-one in a rock phish attack, the numbers would be mind-numbing. You have to go to the registrar to find out everyone who is accessing it. Get to that one source and you can neutralize all the other attacks."
As Schneider pointed out, in the escalating war on phishing, getting the know-how on board counts for a lot. "The biggest problem about doing this in house is the sheer manpower needed to handle incoming reports on suspected attacks. Then there's the job of researching it, attacking it and contacting authorities. For us, it was just getting to be too big a job to handle in-house. Our job is to protect our reputation and our members, and you need the right resources to do that."
Print Version
E-Mail Article
Reprints
More by Denise J. Deveau
Next Article in Exploits & Vulnerabilities
|
Study: 40 Percent of Web Surfers Using Leaky, Vintage Browsers July 02, 2008 
Outdated and unpatched browsers are putting 40 percent of Web surfers at risk, according to a recent study by Google, IBM and Switzerland's Communications Systems Group. Most of the surfers at risk are using outdated Internet Explorer versions.
|
Related Stories
|
DOJ Busts Up Global Phishing Ring, Charges 38 May 19, 2008 
Despite efforts to curtail phishing, the identity-stealing method remains effective. However, global law enforcement officials are cooperating more with each other to combat criminals involved in cross-border schemes.
|
It's Almost Tax Day: Do You Know Where Your Identity Is? April 14, 2008 
If you haven't yet filed your 2007 income tax return, you may want to brace yourself for something even worse than finding out you owe the government money. You may find that the IRS has already accepted a filing in your name and paid out a hefty refund to someone else -- someone who has gained possession of your identity and may use it for far more nefarious purposes than bilking the government.
|
Teach a Man to Phish and He'll Feed on Fools for a Lifetime March 29, 2008 
Phishing -- trying to trick an e-mail recipient to click here, download that file go to this Web site -- is one of the oldest social engineering tricks in the book. It's been around so long mostly because it still seems to work -- and it's getting increasingly sophisticated. "This isn't malware for the masses anymore," said Jeff Green, senior vice president of McAfee's Avert Labs.
|
Related News Alerts
More by Denise J. Deveau
|
Next-Gen Collaboration: Q&A With Avaya President of Global Services Chris Formant March 01, 2010 
In the midst of last year's economic turmoil, Avaya made some bold moves to solidify its leadership in the highly contested communications arena. Now that the dust has settled, the new and improved company is ready to take collaboration and communications to the next level.
|
Keeping It Real for Cross-Border Online Shoppers January 14, 2010 
E-commerce between the U.S. and Canada didn't end with the decline of the prescription drug trade. Americans have been purchasing other products from the other side of the border -- notably, CDs and DVDs, clothing and accessories. For those who want to tap the cross-border market, there are legal, pricing and shipping concerns. Learning the ins and outs is important for successful cross-border e-commerce.
|
Is the BlackBerry Losing Its Punch? December 10, 2009 
Themes, ringtones and games are all well and good, but they don't really scream "BlackBerry." RIM's phones for years enjoyed an identity as rock-solid corporate phones. They were status symbols for executives: "This phone is not for chit-chatting, it's for getting things done." Now, it seems RIM is trying to make it look less like a workaholic. Is the BlackBerry losing its identity?
|
Get Business and Technology News Alerts
Most Popular | Spotlight Features | Exclusives
This Week on ECT News Network | Podcasts
WiFi Hotspot Locator 
Inside TechNewsWorld
Headline Feeds
Talkback: 
