What’s Phishing?
“Phishing” is basically what is sounds like, but not how it’s spelt. Briefly, it is the act of sending an email to an email address falsely claiming to be an established legitimate enterprise. This is an attempt to persuade the owner of that address to surrender private information that will subsequently be used for identity theft.
Usually the email directs the user to visit a Website where they are asked to update personal information, such as passwords, credit card and bank account numbers for example, all of which the legitimate organisation should already have. However the Web site is bogus and set up for one reason only; to steal this information from its owner.
The idea behind Phishing - which can also be referred to as brand spoofing or carding - is that bait is thrown out with the knowledge that while most will ignore the bait, some will be tempted into biting.
Staying Out of the Phisher-man's Net
As reported in November's issue of Lavasoft News, phishing scams, most often fraudulent e-mails that dupe users into giving up their personal information by masquerading as legitimate institutions, were one of 2006's major cyber security issues.
A new type of phishing attack, expected to be lucrative in 2007, is a slight variation, acting as a middle man between the victim and the genuine website.
Encryption company RSA discovered a "universal" man-in-the-middle phishing kit being hawked in online forums. The kit allows the attackers to create bogus URLs that communicate with both the end user and the legitimate website in real time.
Standard phishing attacks only collect specific requested data (usually login and card-related info), but this form actually intercepts any type of credentials submitted to the site after the victim has logged into his or her account.
The victim receives a normal looking phishing e-mail and when they click on the link they are directed to the fake site. The victim then interacts with genuine content from the legitimate website - which has been 'imported' by the attack into the phishing URL. This means the fraudster can make an immediate financial transaction.
PayPal, whose website is often spoofed by phishers hoping to steal user account information, is doing its best to keep its customers from taking the bait. It plans to offer a new two-factor authentication system for $5 US. The security key is a small electronic device that calculates a new numeric password every 30 seconds. Logging onto the online payment service will require users to enter their regular passwords as well as the number displayed on the key.
"If you fall for a phishing scam and give away your user name and password...if you used the Paypal Security Key, a third party couldn't get to your account because they wouldn't have this dynamic digit," said Sara Bettencourt with PayPal.
The key will be beta-tested over the next few months with a public release later this year.
Several financial institutions, which are also often the targets of phishers, are testing similar one-time password products, like VeriSign's tokens. A select number of banks in the U.S. are also testing new software called BioPassword that resides on the web servers of the banks, analyzing typing rhythms to allow or deny access.
These products, designed to add a second layer of authentication to online transactions, come as new federal guidelines in the United States are calling on banks to establish multi-layer authentication security protocols for customer log-ins.
"As institutions put additional online security measures in place, inevitably the fraudsters are looking at new ways of duping innocent victims and stealing their information and assets," said Marc Gaffan, director of marketing in the Consumer Solutions division at RSA.
"While these types of attacks (man-in-the-middle attacks) are still considered 'next generation,' we expect them to become more widespread over the course of the next 12 to 18 months."
As long as there are groups like Rock Phish around, the banks should definitely be implementing several layers of security. Experts estimate this group is one of the most prominent in operation today, costing financial institutions like Citibank and Deutsche Bank, more than $100 million US to date.
A real cause for concern is Rock Phish's ability to stay one step ahead of the game. According to Symantec's Zulfikar Ramzan, just as browsers have been building phishing filters into their products, the group is already hard at work creating URLs so its messages can fly under the "blacklist" radar of identified phishing addresses.
If the messages keep getting through and people keep clicking, the phishers' catch in 2007 will be big. Gartner estimates financial losses due to phishing totaled $2.8 billion US last year.
