SECURITY Tackling

Rebecca Wetzel

It’s a never-ending struggle, phishing is diminishing customer’s trust in online but the anti-fraud arsenal interactions with their banks. In the study, 65 per- cent of account holders were less likely to use continues to grow. their bank’s online services due to phishing, and 75 percent were less likely to respond to email echnology is,” as security expert from their bank because of phishing. Chuck Wade of Interisle Group said, Estimated losses due to phishing vary. Gartner “the rising tide that lifts all ships— puts total U.S. phishing-related losses during “Tincluding pirate ships,” and in this 2003 at some $1.2 billion, whereas a study by the case phishing boats. Phishing is here to stay. Ponemon Institute estimates total consumer loss- This 21st century fraud combines deception es as of September 2004 at $500 million per year, (aka social engineering), impersonation, and and a study by Financial Insights expects 2004 automation to steal authentication credentials losses to tally as high as $400 million. such as passwords and account numbers from Whatever the actual losses, the problem is seri- individuals over the , and uses this infor- ous and worsening. Seven out of 10 Internet users mation for ill gain. You’ve doubtless seen emails surveyed by the Ponemon Institute reported that purporting to be from a credit card company or they had unintentionally visited a spoofed web- bank, which actually are ploys to steal account site, and more than 15 percent admitted to provid- information. Initially these emails were easy to ing sensitive private information including credit spot because they contained typos and other tell- card numbers, checking account information and tale signs, but now even savvy users can be social security numbers. Of those, about 2 percent duped, and fraudsters are expanding beyond believed they lost money as a result of phishing. email, to pounce via the Web, instant messaging, chat rooms, interactive games and like Anatomy Of Phishing keyboard logging programs that capture pass- To help dissect the problem of phishing and pro- words entered into legitimate sites. Although vide a common language to describe attacks and fending off phishing is a challenge, countermea- countermeasures, the Financial Services Technol- sures are available, with more on the way. ogy Consortium (FSTC) recently developed a tax- onomy of phishing attacks (Figure 1). This taxon- The Rising Cost Of Phishing omy helps make sense of the complex nature of Phishing costs victims and financial institutions the problem by mapping out a common attack life money and time. Victims must correct credit cycle, and a predictable set of activities attackers records and repair other phishing-related damage, engage in within each life cycle phase. Rebecca Wetzel is an while financial institutions must absorb customer It is important to note that phishing does not Internet industry losses, as well as costs from issuing new credit include credential theft from databases or via non- analyst, consultant cards, answering calls and shutting down fraudu- electronic means, so those activities are not and writer. She is lent websites. included in the taxonomy, even though they may president of Wetzel For financial institutions, of even graver con- result in similar patterns of financial fraud. Consulting LLC, and cern than direct costs is the erosion of trust in During the initial planning phase, the attacker she is an associate online communications and transactions. Suspi- decides whom to attack, what to steal, how to with NetForecast, an cion of legitimate online interactions between steal it, and what ruse to use. During the setup Internet technology customers and their financial institutions is dri- phase, the attacker creates attack mechanisms, and market analysis ving consumers from online banking to more and in the attack phase makes contact with firm, as well as expensive and labor-intensive channels such as prospective victims. This contact aims to lure peo- technology consulting telephone call centers or “bricks and mortar” ple into taking actions that allow the attacker to firm Interisle Group. branch offices. steal credentials during the collection phase. She can be reached at An April 2004 survey of 650 U.S. banking cus- Next, during the fraud phase, the attacker sells, [email protected] tomers by software vendor Cyota shows that trades or directly uses the stolen credentials for

46 BUSINESS COMMUNICATIONS REVIEW / FEB 2005 Use BCR’s Acronym Directory at www.bcr.com/bcrmag FIGURE 1 Phishing Attack Taxonomy

Planning Setup Attack Collection Fraud Post-Attack

Determine Create Attack via Collect via Phisher Uses Shut Down Attack Target Firm Materials website Web Form Credentials Machinery

Determine Set Up Attack via Collect via email Credential Destroy Target Victim Destinations email Response Trafficking Evidence

Credentials Used Determine Target Obtain Collect via IM Track Hunters Attack via IM Response In Second- Credentials Contact Info Stage Attack

Determine Ruse Set Up Attack Attack via Phone Collect via Phone Money Assess Machinery Auto Dialer Response Laundering Effectiveness

Determine Attack via Malware Sends False Launder Attack Method Chat Room Credentials Registrations Proceeds

Determine Attack via Fraud Objective Bulletin Board

Attack via Newsgroup

Attack via Malware Source: Financial Industry Technology Consortium fraudulent purposes. Following that, in the post and the earlier in the life cycle an attack can be attack phase, attackers deactivate the attack mech- countered, the better the outcome for targeted vic- anisms, cover their tracks, assess the attack’s “suc- tims and financial institutions. cess,” monitor attack responses and apply lessons It is good news, therefore, that a flurry of entre- learned to planning the next attack. preneurial activity is currently focused on devel- A sample attack might unfold like this: An oping a broad spectrum of nostrums to apply to attacker sets out to steal credit card information the phishing problem early in the attack life cycle. from customers of Bank “Y” by sending email Among the technologies promising some immedi- containing the ruse that the customer’s credit card ate relief are: better mutual authentication; spam has been compromised and will be cancelled filtering; detecting infringed domain names; and unless he or she acts immediately to correct the alerting consumers when they are being directed situation. Concerned customers click on a link in to fake websites. the email which takes them to a spoofed website, ■ Better Mutual Authentication: Because where they enter their credit card number, PIN and impersonation is a prerequisite to successful other information. The attacker collects and sells phishing attacks, better mutual authentication this information to a third party, then dismantles between a financial institution and its customers is the website, destroys evidence, monitors efforts to an essential weapon. Effective authentication of a catch him, assesses the attack’s effectiveness, and financial institution’s identity helps prevent applies lessons learned to subsequent attacks. attackers from successfully impersonating a bank or credit card company in the attack and collection What Can Be Done About Phishing? phases, and better customer authentication can The fact that the phishing attack life cycle consists keep attackers from successfully impersonating of many phases, each encompassing a diverse and customers in the fraud phase. changeable set of activities, makes phishing a Email sender authentication schemes help kaleidoscopic problem for which no single solu- identify attempts by fraudsters to impersonate a tion can suffice. Multiple solutions are called for, financial institution in phishing emails during the

BUSINESS COMMUNICATIONS REVIEW / FEB 2005 47 attack phase. The idea behind authenticated email user correctly identifies all Passfaces. Bharosa’s is to validate the source of the email, so a recipi- users manipulate images in specific ways known ent can be assured that the email is from who it only to the user and their financial insitution. Spam filters can says it is and not a scam artist. Email authentica- ■ Spam Filtering: At least for now, email is the tion schemes take a number of forms. Two stan- most common phishing attack vector, and spam also catch dards for email sending address authentication are filtering from the likes of Digital Envoy, Envi- phishing emails in the works, the Sender Policy Framework (SPF) sional, Ironport, McAfee, Postini, Symantec (for- in their nets and the -sponsored Caller-ID, but it will merly Brightmail), and Tumbleweed can prevent be some time before these or their counterparts are phishing emails from being delivered. Successful implemented. filtering of phishing emails can prevent fraudsters In the meantime, proprietary solutions exist. from making contact with target victims in the For example, Goodmail provides an email stamp- attack phase. ing service that gives accredited volume senders Most spam-filtering vendors detect phishing premium delivery of legitimate mailings. Email emails as a by-product of general spam filtering, stamped messages are allowed to bypass spam fil- but several specifically address phishing emails. ters and are distinctly labeled in a user’s inbox so Symantec, for example, uses its Brightmail probe a recipient can recognize them as from legitimate network and decoy accounts to attract suspicious senders. SafeScrypt, on the other hand, provides email, which Symantec then delivers to re- tools that encrypt an email message as an attached searchers who analyze the messages and identify file, and then the entire mail is digitally signed fraud attacks. Symantec then creates and automat- using a certificate issued by a valid certification ically deploys anti-fraud filters to block the phish- authority. Recipients can verify the authenticity of ing emails. Every four minutes, Symantec distrib- the mail by verifying the signature. utes (to ISPs) updated fraud filters which tag or A number of solutions are being applied to the block phishing emails, and when an email-borne problem of criminals impersonating customers phishing attack is detected, Symantec sends sub- during the fraud phase. In this phase, criminals scribing financial institutions an alert that the routinely impersonate the customer of a financial attack is under way and provides the attacker’s institution to steal from the customer’s account via source IP addresses. the Web, or to open a new electronic account Digital Envoy’s email server software com- using the customer’s identity. Countermeasures to pares email headers and embedded URLs to infor- this customer impersonation include physical fac- mation in a database containing information about tor authentication solutions from the likes of RSA, country black lists, country “white lists,” etc. and Entrust, ShareCube and Vasco Data Security; dig- assigns a score based on phishing suspicion level. ital certificates from such firms as Verisign and If an email is scored as suspicious, it is moved to GeoTrust; and biometric identification techniques a quarantine folder and a descriptive message is like finger scanning, face geometry, hand/finger added to the subject line, which is sent to the user. geometry, iris recognition, signature verification, In another approach, Envisional seeds email voice verification and keystroke dynamics. addresses in public locations such as newsgroups, BioPassword uses keystroke dynamics to iden- guest books, bulletin boards and other sites, to be tify users by the way they type. The user types a harvested by spammers. The emails received by user name and password. The user name, pass- these honeypot accounts are examined by Envi- word, and the user’s typing sample is compared to sional’s software to determine which ones are a sample already on file to authenticate the user. likely to be phishing attempts, and this informa- In a rather unorthodox authentication ap- tion can then be used to filter phishing emails. proach, 41st Parameter performs dozens of verifi- ■ Infringing Domain Name Detection: Attack- cation checks on the customer’s computer operat- ers often use domain names which mimic legiti- ing system (e.g. checks of local time, time zone mate domain names. By detecting registration of and IP address) and compares the visitor’s operat- infringing domain names, financial institutions ing system “DNA” profile to a profile on file. can detect phishing websites during the setup PassMark, Real User, and Bharosa offer phase of the phishing attack life cycle, and can authentication schemes using personalized work with law enforcement agencies and others to images. These schemes can help customers to remove the sites from the network. authenticate interactions with financial institu- A VeriSign service scans websites, Usenet tions, and can help financial institutions authenti- newsgroups and chat groups for brand infringe- cate customers. PassMark users adopt a personal ment and traffic diversion. Another firm, Internet PassMark consisting of a picture and a text phrase. Identity, monitors brand names used in Internet When asked for sensitive information, the user is domains, prioritizes and resolves domain-related first shown his or her unique PassMark to validate problems, and continually monitors the domain the communication. Similarly, Real User random- space for unauthorized uses of a company’s brand. ly assigns human faces to serve as a user's “Pass- A similar service from NameProtect monitors use faces.” The user is presented decoy faces and of brand names in Internet domains, email, Passfaces, and authentication succeeds when the images, Usenet, IRC, auctions and search engines.

48 BUSINESS COMMUNICATIONS REVIEW / FEB 2005 The service reports findings and provides tools for its clients’ brand names, and it monitors spam taking action against attackers. through its own trapping filters and through rela- ■ Phishing Website Detection: Technologies tionships with third-party spam filtering compa- from Billeo, EarthLink, Geotrust, Netcraft, Phish- nies. Cyveillance also monitors for stolen credit Counter-phishing Free, Collective Trust, Webroot Software and card and/or personal information trafficking. WholeSecurity alert customers during the collec- Lastly, the Internet Crime Prevention and Con- will require tion phase, when target victims are visiting a trol Institute (ICPCI) is a private membership- ongoing bogus website. based organization which takes preemptive innovation Billeo provides a browser plug-in with a “traf- actions against phishing attacks. The ICPCI oper- fic light” in the toolbar that turns from green to ates an Internet Crime First Response Center yellow to red when a user visits a suspicious site. which analyzes, coordinates and communicates The plug-in compares the URL and Web page with an array of third-party organizations to stop with a repository of known phishing sites, and phishing attacks. It boasts a response time of five applies a scoring mechanism to determine the minutes from phishing attack detection to actions site’s alert level. Once a threshold alert level is such as taking down a phishing website. reached, the traffic light turns red, and the tool prevents the user from entering information on What’s Next? that site. GeoTrust’s browser-based tool notifies Phishing is destined to become a never-ending users when they are visiting a spoofed website, cat-and-mouse game, in which today’s solutions and rates a website’s ability to allow users to pro- may not work as well tomorrow. Solution vide confidential information securely. providers and financial institutions must pedal WholeSecurity’s browser-based tool detects hard to keep up. Because so much is at stake, phishing sites by examining URLs, content, text, counter-phishing will continue to attract money layout and other aspects of a website; the tool then and innovation, and vendors will increasingly be aims to determine whether a site is suspicious by called upon to offer integrated solutions that combining the results of all tests. address multiple facets of this complex problem ■ Phishing Solution Packages: Some firms, including Corillian, Cyota, Cyveillance and Mark- Monitor, offer comprehensive service packages Companies Mentioned In This Article that can combat phishing attacks at multiple points 41st Parameter (www.41stparameter.com) in the phishing attack life cycle. Bharosa (www.bharosa.com) Corillian searches for phishing sites under con- Billeo (www.billeo.com) struction by analyzing bank Web servers’ log BioPassword (www.biopassword.com) activity using a complex set of parsing rules, and Collective Trust (no site found) Corillian’s software provides information to deac- Corillian (www.corillian.com) tivate phishing sites before they go live. Setup Cyota (www.cyota.com) activity is detectable because phishing sites are Cyveillance (www.cyveillance.com) often built using legitimate site elements, which Digital Envoy (www.digitalenvoy.com) are retrieved from the bank’s bona fide website. EarthLink (www.earthlink.com) Should phishing sites slip through the cracks and Entrust (www.entrust.com) go live, Corillian identifies visitors so financial Envisional (www.envisional.com) institutions can identify compromised accounts GeoTrust (www.geotrust.com) and notify account holders, and it also collects evi- Goodmail (www.goodmail.com) dence to find and prosecute attackers. Ironport (www.ironport.com) Cyota helps firms prepare for, respond to, and MarkMonitor (www.markmonitor.com) “clean up” after phishing attacks. Cyota detects McAfee (www.mcafee.com) phishing attacks using a probe network and other Microsoft (www.microsoft.com) sources. Then, using statistical analysis, behavior NameProtect (www.nameprotect.com) models and other utilities, Cyota’s staff evaluates Netcraft (www.netcraft.com) each attack, estimates its severity, and works with PassMark (www.passmark.com) ISPs and law enforcement on the bank’s behalf to PhishFree (www.phishfree.com) stop the attack and shut down phishing websites. Postini (www.postini.com) Cyota then conducts forensic analysis to gather Real User (www.realuser.com) additional information, and works with law RSA (www.rsasecurity.com) enforcement to catch attackers. Cyota also pro- SafeScrypt (www.safescrypt.com) vides tools that help reduce attack risks, minimize ShareCube (www.sharecube.com) impact, and deter future attacks. Symantec (www.symantec.com) Cyveillance checks domain registries for Vasco Data Security (www.vasco.com) infringing domain names, and it detects and works VeriSign (www.verisign.com) to shut phishing sites. Cyveillance deploys Web Webroot Software (www.webroot.com) crawling technology that takes 21 days to cycle WholeSecurity (www.wholesecurity.com) through the entire Internet to detect illicit uses of

BUSINESS COMMUNICATIONS REVIEW / FEB 2005 51