|
Trend
Have you been ‘phished’ lately?
Reports reveal that phishing is on the rise. Don’t panic.
All you needed are proactive measures. By Neeraj Gandhi
 Internet
penetration in the country has gradually increased over the last few years.
Coupled with growing awareness, the numbers of Indians taking the online route
for day-to-day transactions like buying essentials and luxury items to conducting
business activities has also increased considerably. For instance, people buying
air tickets online have increased exponentially. The same is the case with online
banking.
Simultaneously, this has also placed many Indians, on the
cyber crime threat radar.
Only last month, a renowned bank suffered losses amounting to Rs. 12 lakh on
account of phishing. Investigations revealed that usernames and passwords of
at least eight bank accounts were fraudulently acquired to carry out this task.
The bank immediately sounded an alert and is believed to have signed a deal
with a major security vendor to further ensure a safe online banking experience.
However, is India new to all this? Well not exactly. There have been reports
in the past that also revealed incidents where phishing attacks were launched
on enterprises in the BFSI vertical. One thing, which is crystal clear after
such incidents came to light, is that phishers or cyber criminals are now guided
by a strong financial motive when they wage an attack. This is no longer a game
for fun.
Phishing scenario
|
 "The
brands that are most typically targeted in phishing scams are banks, online
auction services, and recruitment services"
- Andrew Walls
Research Director, Gartner’s Infrastructure Protection Group
|
As per the Symantec Internet Security Threat Report released
last year, India was ranked fourteenth among countries that hosted phishing
Web sites. Mumbai was ranked first in terms of phishing sites with 38%, followed
by New Delhi with 29%, and Bangalore and Chennai with 12% each. The report also
stated that there were a total of 196,860 unique phishing messages worldwide,
an 18% increase over the last six months of 2006. This equates to an average
of 1,088 unique phishing messages per day for the first half of 2007 only.
According to CERT-In, of all the cyber intrusion incidents detected in December
2007, 47% were phishing attacks. In numerical terms, a total of 392 phishing
attacks were detected last year, of which 24% were directed at financial institutions.
Similarly, a report released by the Anti-Phishing Working Group states that
at least 28,074 unique phishing incidents were detected in November 2007, and
at least 26,630 unique phishing Web sites surfaced during the same period.
As per CERT-In sources, enterprises in the financial services domain like banking,
online trading etc., organizations in retail other enterprises in the e-commerce
space are more prone to phishing. In addition, social networking websites have
also become a fertile place for phishers to tap into personal information. Phishing
messages that emanate from these sites seem to be more authentic and can easily
trap users.
“The brands that are most typically targeted in phishing scams are banks,
online auction services, and recruitment services. The first two are targeted
because of the ready availability of money through the misdirection of transactions
and funds transfers. Recruitment services are targeted mostly to support identity
fraud through the acquisition of personal data. At times recruitment ads are
used to obtain credit card information,” added Andrew Walls, Research Director,
Gartner’s Infrastructure Protection Group.
“Sending phishing e-mails has probably the lowest investment
and highest returns. Hence, that’s why we still see a steady increase in
phishing. Further, home users do not have anti-phishing solutions deployed at
home resulting in the existence of a large enough and interesting target for
criminals,” said Wing Fei Chia–Security Response Team Manager, F-Secure
Security Labs.
|
 "Sending
phishing e-mails has probably the lowest investment and highest returns.
Hence, that’s why we still see a steady increase in phishing"
- Wing Fei Chia
Security Response Team Manager,
F-Secure Security Labs
|
 "The
motive is no more stealing personal information or fun; rather it’s
only the financial gain involved that is pushing phishers to cross the
line"
- Kartik Shahani
Regional Director, India,
McAfee Inc
|
Phishing is no longer what it used to be. The motive remains stealing personal
information fraudulently, but the end objectives and methods have changed. While
the objective has now bent towards financial gain, the methods or techniques
have become even more deadly. Phishers now are extensively using this technique
to install spyware, Trojans, worms and viruses.
How have they succeeded in doing this? “Phishers are
always trying to exploit the weakest link between the monitor and the keyboard—the
human. Social engineering is the tactic that phishers use most of the time,
always trying to trick the user into believing that the e-mail or Web site is
legitimate,” said Chia.
“Phishing is increasing in a rampant manner. It has
grown 200% globally and in India. Gauging this as a threat to money, phishing
is placed at the top of the list among other security threats. Modern phishing
techniques have changed. If the phisher does not succeed in getting the user
to divulge the username and password on the Web site, he now tries to infect
the machine, and install key loggers to get the information,” said Ambarish
Deshpande, Regional Director, India & SAARC, Ironport Systems.
That said, phishing now has become more targeted and more sophisticated. “We
are definitely moving towards targeted phishing. The motive is no more stealing
personal information or fun; rather it’s only the financial gain involved
that is pushing phishers to cross the line every time that they launch an attack.
This trend is not limited only to phishing but we are moving towards its deadlier
variants—pharming, freaking, vishing etc.,” said Kartik Shahani, Regional
Director, India, McAfee Inc.
That is not all. Every time phishers succeed in launching
an attack, they outsmart the security mechanism in place. “With the gamut
of anti-phishing solutions that are available in the market, phishers are continuously
innovating their attack mechanisms. They are also beginning to use viruses to
do their dirty work. These viruses monitor the users’ Internet activities,
and spring into action when they visit a particular site, either diverting them
to an impostor’s site or capturing their keystrokes,” added Prabhat
Kumar Singh, Director – Security Response, Symantec India.
| Number of unique phishing reports |
28,074 |
| Number of unique phishing sites |
23,630 |
| Number of brands hijacked by phishing
campaigns |
178 |
| Number of brands compromising the top
80 % of phishing campaigns |
17 |
| Country hosting the most phishing websites |
United States |
| Incidents that contained some form of
target name in URL |
34.30% |
| Incidents with no hostname; just IP address |
6% |
| Average time online
for site |
3 days |
| Longest time online for site |
30 days |
|
Source: Anti- Phishing Working Group
|
According to CERT-In sources, phishers are inventing innovative bait for users
so as to trap them. They have a large tackle box of tools available to them,
which allows them to wage an attack. This box includes tools like, bots, phishing
kits, technical deceit, session hijacking, abuse of domain name service, and
specialized malware.
“Some frauds are now being performed through the use of complex peer-to-peer
(P2P) environments with encrypted data links and automated redirection and relocation
of phishing code. Gartner has analyzed data in the US that indicates losses
of around $3.2 billion in the US between August 2006 and August 2007,”
said Walls.
“Phishers today use IP addresses as part of the hostname instead of a domain
name. This is a tactic used to hide the actual fake domain name, which otherwise
can be easily noticed. Also, many banks use IP addresses in their web site URLs.
This makes it confusing for customers from distinguishing a legitimate IP address
from a fake one,” added Singh.
Some of the factors that are responsible for this huge influx
of phishing attacks include, financial gain, which is perhaps one of the biggest
motivators, unawareness of the threat among users, increased technical sophistication
of attacks, and lack of awareness of policies. Then there are other factors
also said Deshpande, “ In relative terms phishing is easy money. There
are no violent turf wars, the phishers don’t have to see their victim,
there are few people and almost no police to deal with, the crime happens from
another country, and of course phishers don’t have to stand on street corners
in bad weather.”
|
 "Gauging
this as a threat to money, phishing is placed at the top of the list among
other security threats"
- Ambarish Deshpande
Regional Director, India & SAARC,
Ironport Systems
|
 "Phishers
are continuously innovating their attack mechanisms. They are also beginning
to use viruses to do their dirty work"
- Prabhat Kumar Singh
Director – Security Response,
Symantec India
|
So, is India safe?
Emerging reports indicate that there has been a rise in the number of phishing
incidents in the country, with organizations in the BFSI space being the favorite
for phishers. The same is the case for the BFSI vertical worldwide. The situation
calls for concern, and not panic. “Phishing is on the rise in the Indian
subcontinent. It has become a big enough threat for someone to sit up and take
notice and develop an anti-phishing solution. Simultaneously, India is not different
from most other countries in the world when we talk about phishing. Attributing
the use of plastic money, phishing attempts may vary from country to country,”
said Shahani.
“There are four key items to monitor when it comes to phishing: How many
people received phishing messages? How many corporate brands were affected by
phishing attacks? Which countries are home to the phishing servers? How many
phishing servers are in operation?
It does not appear that India is a world leader in any of these areas (which
is a good thing!). The Republic of Korea, America, and China consistently host
more phishing sites than most other countries,” added Walls.
Phishing is dangerous in the sense that on one side its steals
critical information to amass money, and on the other side it forces the organizations
(that have been attacked) to think about closing their online application, which
eventually leads to losses. In both the scenarios, it is only the company, which
has to suffer. This should in no way, first, deter the enterprises, and second,
generate a feeling among the users to shy away from using such services. Essentially,
the ROI that the application helps generate is greater than the risk involved.
For the enterprises it involves cost cutting and for the users, it’s about
ease and convenience.
| Phlash Phishing |
Phishers have also started building Web
sites using Macromedia Flash. This makes it harder to analyze the page,
and to determine whether a page is malicious or not. This could easily bypass
any anti-phishing toolbars. |
| Rock Phish |
Use of proxy system that relays requests
to a back-end server system which is loaded with a large number of fake
bank Web sites. It shares hosts, so if one is removed the site automatically
switches to working machines which are still hosting a copy of the proxy. |
| Fast Flux Phishing |
In this case the domain resolves to a
set of five addresses for a short period, then switches to another five.
A large number of compromised machines are used. Agility makes it almost
impractical to take down the hosts. |
| Spear Phishing |
This described any targeted phishing
attack. Spear phishers send e-mail that appears genuine to the employees
of a particular company, government agency, organization or group. |
| Vishing |
Also called Voice Phishing, this is an
attempt to leverage the Voice over Internet Protocol (VoIP) in an attempt
to scam users into disclosing personal information. |
| SilentBanker |
A banking Trojan that has been circulating
widely. It propagates through the Web or dropped by some other malware and
automatically gets executed on a user's system. It is capable of defeating
the two-factor authentication system implemented by banks or financial institutions.
It can intercept transactions carried out by users and change the user-entered
destination bank account details to the attacker's account details without
being noticed by the user. |
That said, we have had the benefit of starting late in the online space. This
has given us the opportunity to learn from what has transpired in the rest of
the world. Security vendors and nodal government agencies have undertaken several
research initiatives to identify new threats as and when they emerge, organized
information exchange and awareness programs etc. Enterprises which have faced
phishing attempts in the past have also come out in the open to make the users
aware, which is a good sign.
Essentially, there is nothing known as absolute security. As long as there are
gullible elements on the Web, phishers would continue to target them. This holds
true for any country and India is no exception to this rule. What is required
of the situation is a proactive approach from the vendors’ side and other
agencies. Simultaneously, the user should act with caution when he uses an online
service.
As per Gartner, corporations in 38 states across USA have adopted a policy of
disclosing security breaches to the public. This has helped consumers select
banks and other online merchants. Such a policy could also help consumers in
India and would eventually lead to a more secure environment.
neeraj.gandhi@expressindia.com
|
