Phishing — a tactic in which fraudulent email directs users to a malicious Web site that masquerades as a site belonging to a legitimate company, such as a credit card firm or bank, while stealing users’ personal data — is unquestionably on the rise. A recent Gartner report noted that in the past year, approximately 57 million adults received a phishing e-mail. Worse, 11 million of those recipients clicked on the links in that e-mail.
With organized crime getting involved and sophisticated software tools in use to carry out malicious tactics, phishing is easier than ever and is threatening consumer confidence.
Fortunately, as strategies employed by phishing attackers are becoming more sophisticated, so are the tools used to block them. With government agencies as well as software developers working to put an end to the practice, is there a chance the Internet could become a “no phishing” zone?
Need for Tools
Avivah Litan, the Gartner analyst who wrote the recent report on phishing, told the E-Commerce Times that the research firm’s estimate that there are millions of phishing victims confirms the industry’s worst fears.
“Phishing has been with us for five or six years,” she said. “However, the crooks are succeeding at a much higher rate than ever before.”
Making matters worse, the tactic is not like spam, which can be an annoyance or security risk but usually no more than that. By contrast, phishing is online fraud at its worst, deceiving Internet users who have come to rely on e-banking and e-commerce. As Litan put it, “Consumer distrust in Internet security is a reasonable reaction to this.”
Fixes to the problem are the responsibility of everyone involved, she added. Banks, credit card companies, service providers and other companies touched by phishing will have to focus much more attention on the issue in the future.
One potential solution to at least part of the phishing problem is touted by vendors that design their products to filter out fraudulent e-mail messages. For example, Litan noted that Brightmail and other anti-spam vendors are seeking ways to nab phishers.
And Dean Richardson, vice president of technology at MessageGate, said his company built its anti-spam product, MessageGate Perimeter Protection, while keeping phishing in mind.
“We have a belt-and-suspenders approach,” he explained in an interview with the E-Commerce Times. “You need multiple levels of technology to handle attacks like this.” MessageGate Perimeter Protection looks at each e-mail message as it arrives and compares several components of the message, such as its delivery mechanism and header. If it claims to be from Citibank but has been routed through a server in Romania, it is quarantined.
The application also examines the content of e-mail messages and scans URLs in those messages to see if they match up with the correct server.
Similarly, MailFrontier has developed a new version of its product, Matador, that includes an anti-fraud module. It puts suspicious e-mail in quarantine and reports back to the company.
Although the application was only launched in February, it already has caught what product manager Doreen Pooler described as “gads of fraudulent e-mail.” She said phishing is only the tip of the iceberg when it comes to blended threats that are just over the horizon.
“The attackers are targeting everyone, from the home user to the IT administrator,” she warned, “and they’re doing it in a wide variety of ways.”
Over the long term, Litan noted, the only way to stop phishing permanently is to establish stronger authentication on the Internet. However, major infrastructure change could be slow to gather steam.
Until the Internet itself is strengthened, Litan said she is looking to solutions like Microsoft’s Caller ID for the Internet to boost authentication. Designed as a way to lessen spam, this technology could be used to reduce fraud as well.
Better standards at financial institutions also would deter phishers, she said, noting that financial firms could utilize biometric security in the future. As an immediate solution, layered authentication levels could help.
For example, Litan said, a bank or credit card company could ask questions that only the user would know, changing those questions on a frequent basis. This sort of authentication process might take longer for users but would provide extra protection from identity thieves.
Refining the Process
Clearly, creating anti-phishing tools requires as much dedication as trying to stay ahead of spammers. Whenever a tactic begins to work, attackers find a new way to evade detection.
“Some phishers change their sites hourly,” MessageGate’s Richardson said. “Most of what they do is based on vulnerabilities in software, and they use different tricks to mislead the user.”
Even more frighteningly for home users and IT administrators, some attacks can turn a computer into a phishing host. These infected machines, called “zombies,” can be used to launch attacks or collect personal information about computer users.
If more software vulnerabilities are patched, Richardson has high hopes that such threats can be reduced. “I expect that the attacks will slow down once the easy exploits are fixed,” he said.
Fortunately, vendors do not have to work independently to fight the phishing threat. The Anti-Phishing Working Group has brought together 380 members comprised of security vendors, government departments and others to focus on the problem.
Richardson noted that MessageGate is a member of the working group. Like other vendors in the organization, it reports all phishing finds. “We catch attempts all the time,” he said, “and it makes sense to share what we find, because then everyone can benefit.”
With stronger products and a community focused on the problem, Working Group chairman Dave Jevans said he sees a ray of hope in what may seem like a dark situation.
“The industry has woken up to it, and that’s important,” he noted in an interview with the E-Commerce Times. “The more people … realize how big this problem is, the closer we can get to stopping it.”